I've completed the integration of a payment provider called Pay360 with a client's site.
The problem I'm having relates to the loss of session state. This is the sequence:
- Customer arrives at website (New Session ID issued)
- Customer selects products, enters card info, clicks PAY
- Background API call to Pay360 to get redirect Url for 3D Secure
- Build page with HTML FORM which POSTs customer to that Url, trigger client-side POST with JavaScript
- 3D Secure authorisation with bank / Pay360
- Customer sent back to website by Pay360 via HTTP POST (New Session ID issued)
I can prove (6) by examining cookie values. At this point although the order commits since that doesn't rely on session state, the customer is now logged out.
I assume this is default security related behaviour in .NET and occurs when the user arrives with a FORM POST from an external domain. A new session is created.
I can't, for example, pass the customer's session ID to Pay360 as a hidden field and then "reconnect it" afterwards since this would provide a back-door for someone to gain the session of another user.
Is there any way to stop that default behaviour and maintain the session?
