I work on an online shop (Hybris, Tomcat-based) in which we have integrated several payment providers. One of them require a detour to their domain, and they redirect back to our shop once the payment has finished.
Basically the requests are:
- Page at shop.com executes a POST request to paymentprovider.com
- Payment stuff happens at paymentprovider.com
- paymentprovider.com issues a HTTP 302 to a confirmation page on shop.com
We found that in some cases, after the redirect back to our shop, one of the following situation occurs:
- session cookies are missing in the request, permanent cookies are sent
- all cookies are missing
Our findings so far:
- It seems that this problem is not related to specific browsers or versions (we see e.g. Chrome on Windows and Android, Firefox, Samsung Browser). But we feel that this happens more frequently in recent times.
- In some cases we see that customers navigate in a 2nd tab after leaving the shop and before returning. Cookies are already missing for these 2nd tab requests.
- One customer reportedly faced the issue twice within a few minutes. This made us assume that specific client settings have an impact (e.g. privacy settings, cookie-manipulating addons, ...)
Example Session Cookie:
set-cookie: JSESSIONID=71284C24DCBF95B1D186C0F6C2641FD5; Path=/store; Secure; HttpOnly
Example permanent Cookie:
set-cookie: NSC_wt_ifswjt.bu_iuuq=ffffffffaf17649445525b7f4d5855ee435a4a122a13;expires=Sat, 30-May-2020 23:26:38 GMT;path=/;secure;httponly
Any suggestions what could cause this behavior, or what we could try to reproduce this problem, are welcome.
