"Samesite" attribute / Moneris hostped page solution

Just posting a note form our developer on our interface that we use with the Moneris Hosted page interface.  Any comments or thought on this would be appreciated but thought I would share our findings.  

It appears that Chrome (at least) has changed its policy for handling cookies with "3rd party" sites. Cookies have a "SameSite" attribute. Depending on how that is set and how the Secure attribute is set determine where the cookie can go. Here's some browse console output that got me going in this direction. (Note: the domain test.test.com is used below, but that is my internal hosting of the site and not your actual test.test.com.)

A cookie associated with a cross-site resource at http://test.test.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I was able to make some changes, still ran into a problem with the session cookie. The session cookie is still not being allowed because it is not marked as secure. When there is no session cookie that means the session has "timed out". By default, security is set to log out when session times out. Therefore, the payment success is still being sent to the login page. I disabled the logout when session times out logic and, as you can see below, the payment success page displays correctly.