So I have the following problem; I'm using a PHP $_SESSION to authenticate logged-in users and allow access to specific pages of a website A. As the protected parts of A allow to execute payments, its sessions have to be as secure as possible, hence I'm using:

• httponly
• hostonly
• samesite = Strict
• secure

PHP Session cookies.

My problem now is that, when a client triggers a payment to A, he gets redirected to his bank's page B for multi-factor authentication of the payment. After that, B redirects him back to A. Obviously, due to samesite = Strict, this process leads to the loss of the session cookie of A, hence to the loss of the client's session at A, so he / she will be automatically logged off after the redirect back from B to A.

Thanks to my previous question here, I've been provided with a logic to restore the session safely, to not need to open the samesite attribute of my session cookies to Lax. All of this works fine, basically I successfully authenticate the client after the redirect back to A via a token. What I simply don't get is how you properly reset a PHP session. Basically, the steps I'm implementing are:

• Before the redirect from A to B, I store json_encode($_SESSION) on my server, together with a relationship to the authentication token, which will survive the redirect.

• After the redirect back from B to A, I authenticate the client and then retrieve the stored session data back using $session_data = json_decode( $my_data, true ).

• I then retry to restore the $_SESSION data using:

$_SESSION = $session_data;
session_commit();

When I do so, I tested out the following at the very start of the page of A to which B's redirect points:

Test 1: var_dump($_SESSION) resulting in an empty array, which confirms that the session has been lost.

Test 2: var_dump($_SESSION) after doing the restorage procedure mentioned above. I get the $_SESSION data array, populated with the data I've expected. So far so good, the session data seems to be restored.

The problem now is that when I reload the page to which B redirect, without doing anything else, so together with the tests 1 + 2 again, I get exactly the same output, although the $_SESSION should already be populated when running the Test 1 on the second page load.

So it seems that my session data gets written into $_SESSION, but not saved such that it survives a page load. What am I missing?

Note that the session ID changes throughout the procedure I'm using to restore it as described above.