I use hosted pay page scheme (with Get approved response). First I create an order_id and associate it with the session id of the user, I save this association on the server. I set an Url address for approved response. The address relates to a ASP page. In this asp, first I retrieve the session Id of the user ( because without it he cannot access to the site.) Then I create a Url containing this session id and some transaction related values that have been received from Moneris server such as response_order_id, banc_transaction_id. Now there is a risk here. Considering before paying the amount on the Moneris site, a fake request is made toward the success page. Creating such a request is not too hard because order_id can be stolen on its rout to the server and for other values (like banc_transaction) the receiver (success page) has no means to verify its authenticity. Is there any way to check if the values received on the success page are really correspond the payment under process?
Hello,
You can leverage the async transation response, link is here: https://developer.moneris.com/Documentation/NA/E-Commerce%20Solutions/Hosted%20Solutions/Hosted%20Payment%20Page#hppflowwithasync to match the transaction data against your receipt data.
You can also use trnasaction Verificaiton, link is here: https://developer.moneris.com/Documentation/NA/E-Commerce%20Solutions/Hosted%20Solutions/Hosted%20Payment%20Page#hppprocessflowwithtransactionverification, and https://developer.moneris.com/Documentation/NA/E-Commerce%20Solutions/Hosted%20Solutions/Hosted%20Payment%20Page#hppwithtransactionverificationrequest.
You can validate the response based on the orderID and $ value. Alternatively, you can also set special fields to evaluate under the Get send. However, the whole value read could be better avoided by using POST instead of GET. Another way to tackle this could also be to evaluate the source url from the receipt POST/GET. Even though above are our best effort recommendations, you would be responsible for engineering the security and validation of your solution. If the hosted pay page does not meet your needs, you may want to consider using APIs and coding your payment solution from scratch so you have more control and can implement session controls through the process. Thank you.