Maintaining session across relay domain?

Question

I'm building a payment page in asp.net, however the page where you order your items is run in HTTP (non-secure) on my domain.

When redirecting the user to the payment site, I have to go through a different domain (my payment provider, from whom I borrow the SSL certificate), so my payment url ends up like https://www.paymentprovider.com/somescript.cgi/www.mydomain.com/mypaymentpage.aspx

Now the problem is my session is lost, but I store the order in session, so I desperately needs it.

Can I somehow send the SessionID in querystring, and restore the session from it - or do I need to stuff the entire order into querystring ? (Not too certain it'll fit though, it's rather long)

Any help will be highly appreciated :-)

Answer 1

Why don't you load the Session into a Cookie right before redirecting, and when the user reaches your payment area, re-create the session from that cookie?

Answer 2

Steffen

the correct way is to use a unique orderId that you send with the payment, and then the payment gateway its send it back to you.

Its not so simple as its sounds because for security you need ether to encrypt the orderID, and send it and get it encrypted, or else everyone can see and change your orders, ether communicate with the payment gateway with some kind of encrypted protocol.

Paypal do this way, with your order you need to send to paypal a unique ID that you can use it only one time for one transaction, and then paypal make the reference base on this ID.

The other way you say with the session and the cookie is not safe and both can expires, lost, what ever. The session is saved on a cookie anyway. Longer time on session can make what you all ready have to work - but its unsafe and randomly to what ever happens to session or the cookie.