Cookie or Session? when working on Online Payment Gateway

Before getting into details let us take a short review the difference and use of cookies and session.

In a simple way to say, the task of both of them is to store data which can be used across multiple pages in an application. Like store user information (eg. user id, name, mail), data on shopping cart item.

So, What’s the use of both of them while they work for the same purpose?

Key Differences between Session and Cookies is,

  • Sessions are server-side files that store the user information, whereas Cookies are client-side files that contain user information on a local computer.
  • The session ends when the user closes the browser or logout from the application, whereas Cookies expire at the set time.

Now lets get back into our topic. Recently I was doing an e-commerce web development project where I have to implement an online payment gateway which was sslcommerce. The structure of my shopping cart was like,

shopping cart structure

Also user id is in the session after login.

user session

So my thought was once the payment is successful I’ll insert data into the database order table. But the problem I was facing was when I return from payment gateway my session data clear out automatically before I could insert data into my database.

Imagine customer after successfully payment couldn’t see their order. Won’t they scare to death 😅

After looking around many sites, it seems this problem mostly happens with Chrome 80+, all other browsers work fine (Firefox, Safari, Edge, mobile browsers etc). Older versions of Chrome also work fine (<=79).

When the user is in the bank/online payment portal and has successfully paid, he is redirected back to the e-commerce site by a POST request to the url site which we set initially say “successful.php”. Chrome see this POST request as a crosssite request, thus it removes the session cookies. Check this discussion for details understanding.

Though I personally didn’t check all the browsers, but problem like this shouldn’t even exist on our system no matter which browser we use.

So there may have many different way to achieve our final goal, But I want to stick on my initial thought since I couldn’t think any other easy way.

So what I did? Yup, you may already gussed that. COOKIES

There are two option to do in that case. One is replace all SESSION into COOKIES.

Or we can simply save the entire Session into cookies when we checkout.

Here a demo code of how we can set/save SESSION data/variable in COOKIE and output them.

<?phpsession_start();setcookie("name", "Mehedi", time() + 86400); // 86400s = 1 Day
// set a cookie as name
echo $_COOKIE['name'];echo "<br>";setcookie("shopping_cartC", json_encode($_SESSION["shopping_cart"]), time() + 86400); // saving session value in cookieecho "<br>";$cart = json_decode($_COOKIE['shopping_cartC'], true);print_r($cart); // output all cookie data that saved in cookie // variable shopping_cartCecho "<br>";foreach($cart as $pr){print_r($pr["item_name"]); // output only item nameecho "<br>";}?>

So it seems already pretty clear what what i want to say. If you face similar problem use cookie instead of session using given method or your own comfortable way. Remember to clear cookie once data are inserted into the database.

Keep in mind never store sensative data such as transaction related details, user password, card number in cookies. Check this link for details understanding about Cookie.