Sorry for the late reply, but if you’re still having this issue here’s something that might help.
I’ll just start from the beginning, because I’m not sure the exact implementation of your system.
First off, The way that a UserAccount is logged in in moqui is whether the session's ExecutionContext has a user.
In the qapps screen here the user is redirected to /Login if the ExecutionContext's session has no user. Also see this for how jsessionids are created and handled.
When redirecting the user to a URL for a payment gateway, I would imagine that the HTTP request has some kind of authentication to ensure who the User is, how much this user needs to pay, and who the payment is to. This is typically done with API credentials or an API key for the server that you are redirecting your user too.
However, the problem that you have is that after the gateway redirects the user to your website, the user isn’t authenticated. The user’s session is not there and the jsessionid cookie probably got deleted, because the user was redirected to a different website. So the problem that you have is that users are not being authenticated properly after being redirected to a different website. I’m not sure what the API looks like for your payment gateway, but I would imagine that this payment gateway has a way to authenticate redirected users. Whether that’s a username and password, or a token I am not sure, but it sounds like when the user is redirected, you need to authenticate them automatically based on the request that is sent to your server.
If I were you, I would find whatever protocol the payment gateway uses for authentication, and create a service in a specified place that takes in the parameters necessary for this authentication protocol and verify that the parameters / credentials are correct. Once you have done that, import any data you need into the database and log the user in. When writing this service, if you have for sure authenticated that the user is authentic, then you can use ec.user.internalLoginUser(username) method to login the user without a password. But be very careful with this service and method because if constructed improperly, it is basically the definition of a security risk.
Hope that your integration goes well 