Session logs out intermittently after being redirected by the payment link


  • After being redirected by the payment link, the session logs out.
  • Steps to reproduce :
    1. Login in Liferay.
    2. Call the API in Postman.
    Request parameters are attached (SSL Commerz Request Parameters.txt)
    Request Type: x-www-form-urlencoded
    3. Set a redirect url (success_url, fail_url, cancel_url) to a test private page.
    4. Open GatewayPageURL from the response in the browser.
    5. Click login and sign in with the pre-filled mobile number. Use OTP: 111111
    6. Use any of the prefilled cards with CVV 111
    Expected Behavior:  Click on the success button to be redirected back to Liferay.
    Observed Behavior: The user session will be logged out and the user will be redirected back to the login page.


  • Liferay DXP 7.3 Fix Pack 1


  • The issue turns out to be that the browser does not send the saved cookies back to the portal with the request to http://localhost:8080/group/guest/test after returning from the payment site.

    • The reason for this is that in the current environment, the limitations of the default cookie behavior prevent proper cross-site usage.
      To summarize, any cookies with the 'SameSite=none' value are 'filtered out' by the browser. (The default value is "SameSite=Lax.")cookies_SameSite_attribute__1_.png

  • Try the procedures below to overcome this issue:

    1) Added <CookieProcessor sameSiteCookies="none"/> to the <context> element in tomcat/conf/context.xml.
    2) Setup HTTPS based on SSL/TLS Configuration How-To. (This is because cookies with "SameSite=none" are sent only with encrypted requests.)
    Create a keystore file to store the server's private key and self-signed certificate by executing the following command:
    $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

    Uncomment and modify the "SSL HTTP/1.1 Connector" entry in $CATALINA_BASE/conf/server.xml

    <!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
    port="8443" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="${user.home}/.keystore" keystorePass="changeit"
    clientAuth="false" sslProtocol="TLS"/>

    3) Ensured to access/login to the portal via https and also set the redirect urls (success_url, fail_url, cancel_url) in Postman API call to https://localhost:8443/group/guest/test.

Additional Information

¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0