Redirect from StripeCheckout no longer using existing session

#1

Net core 5, latest SS bits, Jetbrains Rider on the Mac. I store the session in the db.

Here are the order of operations:

  1. User registers new account with Autologin set to true
  2. User is redirected client side to Stripe Checkout
  3. Stripe Checkout redirects to success url decorated with Authenticate attribute
  4. User has to login again to few page

If I view Network tab, I can see the Session id change when it is redirected.

Things I have tried:

Using the SSL version only of localhost
Set UseSameSiteCookies to false
Set UseSecureCookies to false

My intention is for the user to be redirected and maintain their previous session so it is a seamless experience.

#2

Vague descriptions aren’t going to help when trying to diagnose any HTTP issues, you’d need to post the raw HTTP Headers so we can see what’s actually happening.

You’re saying the session cookies change? I’d start there, please post the previous Request/Response Headers before & after it changes.

#3

Here is the order of operations:

  1. Register
  2. Subscription
  3. Redirect to Stripe Checkout
  4. Redirect to Success page <— This requires a login, [Authenticate]

Here are the request headers on the success page:

GET /subscribe/ HTTP/1.1
Host: localhost:5001
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://localhost:5001/register/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: ss-opt=perm; ss-pid=YY03hs0usc3nCWxgUfDm; ss-id=YQW3bD1Ojt8BoPO8WsA5; X-UAId=42

Here are the request to success page:

GET /login?redirect=/subscribe/success/cs_test_a1nPdupgSVeTplD5yaUfQfbfFJjklzoJfRV9gTJUasSb0ce44zoNXucrUy HTTP/1.1
Host: localhost:5001
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://checkout.stripe.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: ss-opt=perm
#4

So once i set UseSameSiteCookies = false, I saw the proper session id cookie being passed from stripe. However it still didn’t work until I edited the ss-opt cookie to sameSite=None. It seems that setting is not controlled by the same property as the other cookies.

#5

It looks like you have to delete the ss-opt cookie after you set UseSameSiteCookies = false it order to get the feature to work properly. Once I did that the redirect back to the site worked fine.

1 Like