1

I have a PHP website www.example.com which has a button opening a new window with JS. It then loads a unique url to www.thirdpartywebsite.com via AJAX and sets the window's url:

var newWindow = window.open("", "_blank", "scrollbars=yes,resizable=yes");
ajax("www.example.com/get-url",
{
    data: someData,
    success: function(response)
    {
        newWindow.location = response.url;
        // something like www.thirdpartywebsite.com/catalog/12345xyz
    }
});

Backend PHP code for www.example.com/get-url simply makes a curl request to www.thirdpartywebsite.com for the unique url and then returns it.

The returned third party site url is a page showing a catalog of items. Each item has a button redirecting the user back to my site with the item data in POST. The url for that is www.example.com/get-data with the following PHP code:

$itemData = $_POST["data"];
echo '<div id="content-json" style="display:none;">' . json_encode($itemData) . '</div>';
echo '<script>';
echo 'var json = document.getElementById("content-json").innerHTML;';
echo 'var data = JSON.parse(json);';
echo 'window.opener.returnCallback(data);';
echo 'window.close();';
echo "</script>';

The returnCallback function is on the same page (main window) as the button opening the new window:

function returnCallback(data)
{
    // Set page's content with data
    // ...
}

So basically we open a new window to other site, user does action, the new window redirects back to my site with POST data, gives the data to the main window as JS object and then closes the new window.

Now the problem is that the PHP session id gets regenerated when the new window is redirected back to my site. I have confirmed this with typing document.cookie into the main window's console.

Before clicking the button to open the new window and before clicking the button on the new window to redirect back to my site:

PHPSESSID=random12345

After redirecting back to my site and the new window closes:

PHPSESSID=random67890

What is even more interesting is that this doesn't happen every time and not with every user. It sometimes happens on one day on one browser with one user and then some other day/time it doesn't.

The only thing I can come up is if the domain changes between www.example.com and example.com but it's always https://www.example.com.

Anyone know any reason why this would happen?

bloodleh
  • 493
  • 8
  • 28
  • Not an answer, just a suggestion... `echo 'var data = ' . json_encode($itemData) . ';';` is a whole lot simpler than what you've got going on there – Phil Aug 16 '20 at 23:08
  • I strongly suggest creating a unique [session name](https://www.php.net/manual/function.session-name.php) for your app. So many things use the default `PHPSESSID` that it's very easy to run into conflicts – Phil Aug 16 '20 at 23:13
  • @Phil The div mess was so I didn't need to escape json quotes/doublequotes inside the js code. I'll try changing the session name, although I don't think it's the problem here. The third party website has a unique session name. – bloodleh Aug 16 '20 at 23:19
  • `json_encode()` produces a string that can be used as a valid JavaScript data structure – Phil Aug 16 '20 at 23:22
  • Use your browser's _Network_ console to monitor which response is issuing the new session id (look for `Set-Cookie` headers). Look at the request for that response. Does it have a `Cookie` header with the old session ID? If so, then something in your code is replacing the old value, probably via `session_regenerate_id()` – Phil Aug 16 '20 at 23:26
  • 1
    I guess this could be an issue with 3rd-party cookie blocking - and what exactly different browsers/extensions might consider 3rd-party in such a scenario? (With your own site being considered the 3rd party here, when stuff is happening under the other domain.) Instead of doing `window.open("")`, I would try and open a page from your own site in the popup first, and then have that make the API request and redirect itself to the other domain - and see if that helps with retention of the session cookie. – CBroe Aug 17 '20 at 08:23
  • @Phil Had to wait for an user to test it out but yes, that's exactly what is happening. The request back to my site has Set-Cookie header which changes the cookie. I don't have any session regenerate code anywhere in my code base and the only place where it is destroyed/unset is in logout script elsewhere. – bloodleh Aug 17 '20 at 12:04
  • @CBroe Tried that as well, unfortunately no luck. – bloodleh Aug 17 '20 at 15:49
  • Hi @bloodleh , Have you got any solution for this ? – Rathilesh C Jul 30 '21 at 07:19
  • @RathileshC Yes! I asked this same/similar question just a while ago, didn't even realize/remember that I had asked it previously (without a solution) almost a year ago haha :). The problem was that the cookies had attribute `samesite=lax`. Changing it to `samesite=none; secure` fixed it. https://stackoverflow.com/q/68478133/2219407 and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#none for more info! – bloodleh Jul 30 '21 at 23:47

0 Answers0