sameSiteCookieValue == 'Strict' config value with some Commerce gateways

[rob-c-baker]

Description

If a site has the sameSiteCookieValue Craft config value set to Strict (as opposed to Lax or null) this can create a problem with any payment gateway that has the user fill in details on another domain via redirect before being redirected back to the Craft site for order completion.

The issue manifests as what appears to be a forgotten session after redirect back from authentication. Due to the fact that session cookies set to SameSite: Strict are not sent by the browser when the referrer hostname does not match the hostname where the cookie was originally set.

The effect is that when the user is redirected back, Craft / Commerce thinks there is no session, starts a new one and in the process, whatever is in the cart disappears for the user. In our case, we have a condition on our checkout that redirects users away from the checkout when their cart is empty so the visible effect for our users was completing a payment stage and ending up on another page of our site with an error stating they cannot checkout as their cart is empty.

I have found that this is generally not a visible problem for us if the off-site payment details / authentication is successful as the session is not needed in order to show the checkout confirmation page.

This all goes away if the session cookie has SameSite: Lax. It would be great if this is made clearer in the docs, or is somehow worked around in code.

Additional info

• Craft CMS version: 3.7.23
• Craft Commerce version: 3.48
• PHP version: 7.4.3