I’m trying to get to the bottom of an issue we’ve recently started experiencing with Chrome and dropped sessions in a mature application. I’m getting increasingly confused in trying to debug it so I’m posting here in the hope that someone might help me see the wood for the trees !
Any help would be greatly appreciated.
The app is an e-store - shoppers go through a selection process to get stock which is retained in their session, we redirect (in an iframe) to a payment gateway (Paydoo) which then posts a result back to our payment results page (not in an iframe).
In all other browsers apart from Chrome 86, the payment results page happily takes the post, combines it with what’s in the session and processes orders normally. In Chrome 86, nothing happens, we just get a blank page.
Initially, the Chrome console was indicating an issue that SameSite needed to be set on cookies, which we duly applied via an Apache header directive. We also had some third party cookies which we removed. However this don’t fix the issue.
The cookies look OK to me
We have had to experiment with values - SameSite=Strict broke sessions altogether in the app, SameSite=Secure didn’t appear to do anything and triggered errors in the console advising that SameSite attribution was required
but I’m wondering if we need to change our session management which is currently set like this
<cfset this.applicationTimeout = createTimeSpan(1,0,0,0) /> <cfset this.clientManagement = true /> <cfset this.sessionManagement = true /> <cfset this.sessionTimeout = createTimeSpan(0,0,9,0) /> <cfset this.setClientCookies = true /> <cfset this.sessionCookie.secure = true /> <cfset this.sessionCookie.httpOnly = true /> <cfset this.setDomainCookies = true />
Or we need to upgrade to a later Lucee (we are on 220.127.116.11)
Just looking for a steer really - has anyone seen anything like this before - or something stupid in my code?
Thanks for reading