Django session lost after paypal confirmation

Question

Django session lost after paypal confirmation

Closed this issue 5 years ago · 5 comments

Hi,
I was running on python 2.7 + Django 1.11.20 + paypal 0.3.6 and everything has always worked fine with express checkout (pro) or standard paypal IPN.

I upgraded to python 3.8 + Django 2.2.9 + paypal 1.0.0 and I'm experiencing a problem with standard paypal IPN (the express checkout works well).

When I enter the paypal site, I can go back to the vendor site before or after the paypal login, but first than the payment confirmation (cancel_return behaviour).

Instead if I confirm the payment I go to the right paypal page with all its summary things and the button "back to the vendor". Meanwhile I get the IPN message correctly.
If I press the "back to the vendor" button, I do not have my previous session cookie set (SESSION_COOKIE_NAME), that is the user is logged out.

The same happens with paypal 0.5.0.

For the upgrade I changed nothing about my code, just "return_url" -> "return", but "return_url" is still accepted.

My "return" url is an absolute https url and it's correct, the same used for the express checkout scenario and the same for the "cancel_return".
If I use a relative url instead (I read somewhere about someone having a similar problem fixed with a relative url), I do not lose the session cookie, but pressing "back to the vendor" button, it gets redirect to the paypal user account page.

Answer 1 · 2020-01-13T15:45:14.000Z

Session is lost as soon as the "back to the vendor" button is pressed.

Answer 2 · 2020-01-14T16:49:34.000Z

It's very unlikely this is due to django-paypal - it doesn't touch the session in any way, and I don't think it ever has. My best guess is that you are doing something incorrectly with domains e.g. www.example.com is not the same as example.com when it comes to cookies, and http/https are not the same. Or perhaps something else in the Django upgrade you did affected it.

Answer 3 · 2020-01-15T08:52:06.000Z

I also checked the differences of the code between the two django-paypal releases and I agree it seems there's nothing related to the problem.

I just posted an issue to see if anyone else is experiencing the same problem. Who seems to have the same problem is just on PHP.

Anyway I'm 100% sure the back link is same domain and same protocol (and as I said it's the same of the 'cancel_return' that it works). It happens also on http://localhost:8000

The session cookie is httponly false and same site Lax, the same with previous releases of software I was using before.

The difference between the cancel_return and the return post confirmation of the payment is that the first one is a GET and the second one is POST (but so it was before).

EDIT: This is a new thing on django 2.1, anyway I see the cookie as "Lax" with django 1.11

Answer 4 · 2020-01-15T09:11:01.000Z

SESSION_COOKIE_SAMESITE to None fix the problem, but I don't like it as solution. Anyway I don't understand why on django 1.11 is working even if "Lax".

Answer 5 · 2020-01-15T09:30:36.000Z

I'm sorry, I was wrong. On django 1.11 it's not "Lax", it's "Unset". I got confused with different sessionid cookie names.