Let's break down your issue and walk through actionable solutions—this is a common pain point with redirect-based payment gateways in Magento 2, especially when cross-site POST requests are involved.

The Core Problem #

From your network logs, two key errors stand out:

• Your session has expired
• Invalid Form Key. Please refresh the page.

Magento’s default security measures (form key validation and session IP/context checks) are blocking the cross-site POST request from your payment provider. When you directly GET /checkout/cart/, you’re accessing it as a logged-in/valid session user, but the payment gateway’s POST comes from an external domain, so it doesn’t have the required form key or valid session context.

Solution 1: Use a Dedicated Payment Callback Controller (Best Practice) #

Stop using /checkout/cart/ as your callback URL—this route is built for frontend user interaction, not automated payment webhooks. Create a custom controller instead, which lets you bypass unnecessary security checks and handle payment logic cleanly.

Step 1: Create the Custom Controller

Create app/code/YourVendor/YourModule/Controller/Payment/Callback.php:

<?php
namespace YourVendor\YourModule\Controller\Payment;

use Magento\Framework\App\Action\Action;
use Magento\Framework\App\Action\Context;
use Magento\Framework\Controller\ResultFactory;
use Magento\Sales\Model\OrderFactory;

class Callback extends Action
{
    protected $orderFactory;

    public function __construct(
        Context $context,
        OrderFactory $orderFactory
    ) {
        $this->orderFactory = $orderFactory;
        parent::__construct($context);
    }

    public function execute()
    {
        // Capture POST data from the payment provider
        $postData = $this->getRequest()->getPostValue();

        // Add your payment validation logic here (verify signature, order ID, etc.)
        $orderId = $postData['order_id']; // Adjust based on your gateway's params
        $order = $this->orderFactory->create()->load($orderId);

        // Update order status based on payment result
        if ($postData['payment_status'] === 'success') {
            $order->setState(\Magento\Sales\Model\Order::STATE_PROCESSING)
                  ->setStatus(\Magento\Sales\Model\Order::STATUS_PROCESSING)
                  ->save();
        } else {
            // Handle failed payment
            $order->addStatusHistoryComment('Payment failed: ' . $postData['error_message'])
                  ->setIsCustomerNotified(true)
                  ->save();
        }

        // Redirect to the appropriate page (success/failed)
        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
        $resultRedirect->setPath($postData['payment_status'] === 'success' ? 'checkout/onepage/success' : 'checkout/cart');
        return $resultRedirect;
    }

    // Bypass form key validation since the gateway won't send it
    protected function _validateFormKey()
    {
        return true;
    }
}

Step 2: Configure the Route

Add app/code/YourVendor/YourModule/etc/frontend/routes.xml:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
    <router id="standard">
        <route id="yourpayment" frontName="yourpayment">
            <module name="YourVendor_YourModule" />
        </route>
    </router>
</config>

Step 3: Update Payment Gateway Settings

Set your callback URL to https://mymagentosite.com/yourpayment/payment/callback.

Solution 2: Fix Session & Form Key Issues for Existing Route (If You Must Use /checkout/cart/) #

If you can’t switch to a custom controller immediately, here’s how to mitigate the problem:

1. Bypass Form Key Validation for /checkout/cart/
   Create a plugin to skip form key checks when the request comes from your payment provider:

<?php
namespace YourVendor\YourModule\Plugin\Controller\Checkout\Cart;

use Magento\Checkout\Controller\Cart\Index as CartIndex;
use Magento\Framework\App\Request\Http;

class BypassFormKey
{
    protected $request;

    public function __construct(Http $request)
    {
        $this->request = $request;
    }

    public function aroundValidateFormKey(CartIndex $subject, \Closure $proceed)
    {
        // Check if request comes from your payment provider (adjust condition as needed)
        $referrer = $this->request->getServer('HTTP_REFERER');
        if (strpos($referrer, 'paymentprovider.com') !== false) {
            return true;
        }
        return $proceed();
    }
}

2. Adjust Session Validation
   Magento checks if the session’s IP matches the request IP for security. Since the payment provider’s IP is different, you can disable this check for the callback route (or globally, but only if necessary):
   Update app/etc/env.php:

'session' => [
    'validator' => [
        'remote_addr' => '0', // 0 = skip IP validation
    ]
]

⚠️ Note: Skipping IP validation reduces security, so use this only temporarily until you implement the custom controller.

3. Verify Cookie Configuration
   Check your Magento cookie settings under Stores > Configuration > Web > Cookie Settings:

• Ensure Cookie Domain matches your site’s domain (e.g., mymagentosite.com)
• Enable Use HTTP Only and Secure since your site uses HTTPS

Solution 3: Rule Out Server & Cache Issues #

• Clear Magento Cache:

  bin/magento cache:clean
  bin/magento cache:flush
  

• Check Apache Security Modules: Disable mod_security temporarily to see if it’s blocking the POST request.
• Compare Working vs. Broken Sites: Since some of your sites work, compare their:
  • Magento versions (minor updates can fix security check logic)
  • Third-party modules (especially payment/security plugins)
  • .htaccess rules (look for redirects or POST blocking rules)

内容的提问来源于stack exchange，提问作者user812120