So I have the following problem; I'm using a PHP $_SESSION to authenticate logged-in users and allow access to specific pages of a website A. As the protected parts of A allow to execute payments, its sessions have to be as secure as possible, hence I'm using:
- httponly
- hostonly
- samesite = Strict
- secure
PHP Session cookies.
My problem now is that, when a client triggers a payment to A, he gets redirected to his bank's page B for multi-factor authentication of the payment. After that, B redirects him back to A. Obviously, due to samesite = Strict, this process leads to the loss of the session cookie of A, hence to the loss of the client's session at A, so he / she will be automatically logged off after the redirect back from B to A.
Thanks to my previous question here, I've been provided with a logic to restore the session safely, to not need to open the samesite attribute of my session cookies to Lax. All of this works fine, basically I successfully authenticate the client after the redirect back to A via a token. What I simply don't get is how you properly reset a PHP session. Basically, the steps I'm implementing are:
Before the redirect from
AtoB, I storejson_encode($_SESSION)on my server, together with a relationship to the authentication token, which will survive the redirect.After the redirect back from
BtoA, I authenticate the client and then retrieve the stored session data back using$session_data = json_decode( $my_data, true ).I then retry to restore the
$_SESSIONdata using:
$_SESSION = $session_data;
session_commit();
When I do so, I tested out the following at the very start of the page of A to which B's redirect points:
Test 1: var_dump($_SESSION) resulting in an empty array, which confirms that the session has been lost.
Test 2: var_dump($_SESSION) after doing the restorage procedure mentioned above. I get the $_SESSION data array, populated with the data I've expected. So far so good, the session data seems to be restored.
The problem now is that when I reload the page to which B redirect, without doing anything else, so together with the tests 1 + 2 again, I get exactly the same output, although the $_SESSION should already be populated when running the Test 1 on the second page load.
So it seems that my session data gets written into $_SESSION, but not saved such that it survives a page load. What am I missing?
Note that the session ID changes throughout the procedure I'm using to restore it as described above.