Recent security changes to common browsers, including Google Chrome, have altered the behaviour of session cookies, which by default may now no longer persist if you redirect to another site which then redirects back, as we quite often do in payments.
For example, if your application flow is:
mysite.co.uk -˃ go2pay.uk -˃ mysite.co.uk
When the user comes back to mysite.co.uk, their session will be gone – all the session data (e.g. their login) will be lost.
This is due to the introduction of the SameSite cookie protocol, which is intended to prevent cross-site security attacks, but is rather unhelpful to anyone who was doing things which depended upon the session still being there when the user came back!
In IIS on Windows you can revert to the “old” functionality by adding the following setting in web.config, under system.web:
˂sessionState cookieSameSite="None" /˃
(Requires .NET Framework 4.7.2 or above.)
Similar fixes are also available for other systems.
⚠️ This needs to be set on your site - this is not an Adelante issue, and Adelante can't make this change for you!