diff --git a/CHANGELOG.md b/CHANGELOG.md
index f9bc64c2..46bb3a83 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -402,4 +402,12 @@ Compatible from Shopware 6.5.0 up to 6.5.6.1
# 3.2.2
-- Fix: OAuth token requests now use the correct storefront base URL including language prefix (e.g. /en) when using shop.com/en-style domains.
\ No newline at end of file
+- Fix: OAuth token requests now use the correct storefront base URL including language prefix (e.g. /en) when using shop.com/en-style domains.
+
+# 3.2.3
+
+- Fix: Session/token loss on payment cancel for multiple storefronts with different domains. Cancel URL now uses the order's sales channel domain (same approach as push URL).
+- Fix: SalesChannelContextServiceDecorator now uses context token from URL on payment return routes (buckaroo/cancel, checkout/finish, /payment/) to restore session when cookies are not sent.
+- Fix: PaymentContextRestoreSubscriber runs earlier (priority 5) to restore context before Shopware resolves the sales channel.
+- Fix: PaymentReturnContextSubscriber now appends context token to all storefront redirects (checkout, account), not just checkout/finish.
+- Added: PaymentContextCookieSubscriber to explicitly set sw-context-token cookie when restored from URL, enabling use of cookie_samesite: lax without requiring null.
\ No newline at end of file
diff --git a/composer.json b/composer.json
index 1235c0b9..c5f4b1db 100644
--- a/composer.json
+++ b/composer.json
@@ -2,7 +2,7 @@
"name": "buckaroo/shopware6",
"description": "Buckaroo payment provider plugin for Shopware 6",
"type": "shopware-platform-plugin",
- "version": "3.2.2",
+ "version": "3.2.3",
"license": "proprietary",
"minimum-stability": "stable",
"require": {
diff --git a/src/Resources/config/services.xml b/src/Resources/config/services.xml
index c7f271c4..eec0aef3 100644
--- a/src/Resources/config/services.xml
+++ b/src/Resources/config/services.xml
@@ -175,6 +175,10 @@
+
+
+
+
diff --git a/src/Subscribers/PaymentContextCookieSubscriber.php b/src/Subscribers/PaymentContextCookieSubscriber.php
new file mode 100644
index 00000000..314616dd
--- /dev/null
+++ b/src/Subscribers/PaymentContextCookieSubscriber.php
@@ -0,0 +1,60 @@
+ ['onKernelResponse', -5],
+ ];
+ }
+
+ public function onKernelResponse(ResponseEvent $event): void
+ {
+ $request = $event->getRequest();
+ $contextToken = $request->attributes->get('sw-context-token');
+
+ if (!is_string($contextToken) || $contextToken === '') {
+ return;
+ }
+
+ // Only set cookie when we restored from URL (token was in query, not cookie)
+ $tokenFromUrl = $request->query->has('sw-context-token')
+ || $request->query->has('add_sw-context-token')
+ || $request->request->has('sw-context-token')
+ || $request->request->has('add_sw-context-token');
+ if (!$tokenFromUrl) {
+ return;
+ }
+
+ $response = $event->getResponse();
+ $expire = new \DateTimeImmutable('+' . self::CONTEXT_TOKEN_LIFETIME_DAYS . ' days');
+
+ $cookie = Cookie::create('sw-context-token')
+ ->withValue($contextToken)
+ ->withExpires($expire)
+ ->withPath('/')
+ ->withSecure($request->isSecure())
+ ->withHttpOnly(false)
+ ->withSameSite(Cookie::SAMESITE_LAX);
+
+ $response->headers->setCookie($cookie);
+ }
+}
diff --git a/src/Subscribers/PaymentContextRestoreSubscriber.php b/src/Subscribers/PaymentContextRestoreSubscriber.php
index ba8ede33..30977059 100644
--- a/src/Subscribers/PaymentContextRestoreSubscriber.php
+++ b/src/Subscribers/PaymentContextRestoreSubscriber.php
@@ -19,7 +19,7 @@ class PaymentContextRestoreSubscriber implements EventSubscriberInterface
public static function getSubscribedEvents(): array
{
return [
- KernelEvents::REQUEST => ['onKernelRequest', 50],
+ KernelEvents::REQUEST => ['onKernelRequest', 5],
];
}