PayflowPro Checkout Broken with SameSite Cookie Changes from Chrome #26840
Description
Summary
Chrome will soon be introducing a new default functionality for cookies that don't explicitly set their "SameSite" property (this article states that stable Chrome 80 should have this functionality but it appears that the cookie changes won't actually be enforced by default until the 17th of this month per https://www.chromium.org/updates/same-site). The Payflow payment method utilizes a callback endpoint (paypal/transparent/response) on Magento invoked from Payflow to complete an order, however that endpoint needs access to the customer's session in order to execute properly. Since the endpoint is invoked from Payflow and not from Magento the new SameSite functionality dictates the that some cookies(session id inclusive) should no longer be passed back to Magento, thus the customer's session cannot be identified/retrieved, and so the request fails, hanging checkout.
Related issue: #26377
Preconditions (*)
- Fresh Magento 2.3.4 Community Edition installation
- Payflow Pro (vendor, user, password, partner) configured and enabled
- Chrome 80.0.3987.100 or greater
- Navigate to
chrome://flagsand set "SameSite by default Cookies" and "Cookies with SameSite must be secure" flags to "Enabled"
- Relaunch Chrome
Steps to reproduce (*)
- Navigate to your storefront
- Add any item with price greater than $0 to your cart and proceed to checkout
- Wait at least two minutes from initially opening your session to complete checkout to avoid the exception Chrome has cookies less than 2 minutes old, per https://www.chromestatus.com/feature/5088147346030592.
- Proceed through checkout using Payflow credit card
- Click "Place Order"
Expected result (*)
- Successful checkout
Actual result (*)
- Failed checkout
Review \Magento\Paypal\Controller\Transparent\RequestSecureToken and \Magento\Paypal\Controller\Transparent\Response to see what information from the session is required during checkout.