This issue only seems to be affecting Firefox, and then only some users (with no obvious version/security setting differences). We are getting session loss in our Laravel app.

We have a payment integration that uses the iframe Opayo server integration. This opens up the payment form in an iframe in the Laravel app. Payment details are provided, and the payment is successful - including hitting an Opayo webhook to confirm the transaction.

The webhook returns a redirect URL, that Opayo uses to redirect the user (in the iframe naturally). This redirect URL is simply a URL on the same site as the app (i.e. the iframe parent).

At the point that the iframe loads the redirect URL, the site session is immediately killed. Originally, the page at the URL broke out of the iframe (set window.top.location), and also did some ajax calls - I removed both these actions, to confirm they weren't somehow responsible for the session getting nuked.

The site is served over HTTPS with a valid certificate. A session cookie is set to secure, HTTP only, and the same site is 'lax'

What could be causing this behavior?

This is because the iframe is not exactly your page running on your system. So, if the iframe is not on your system, it will not have access to the cookies that are in your application.

If the iframe is from your application, I advise you to use query params in the url of the iframe to pass such necessary information within the iframe. Something like:

<iframe src="https://www.foo.bar?value=1&value_2=2"></iframe>