a payment gateway we are trying out returns full details of the operation in the response URL as _GET parametres. including the authorisation number from the bank and encrypted hash (to check data has not been tampered with).
on the page it is returned to i simply process these and then 301 to the confirmation page.
all of it is under SSL.
is there any reason why this shouldn't be secure? the reason i ask is that normally i am used to capturing _POST params with curl or similar.
surely as long as everything is under SSL and after processing the order I redirect to the confirmation page, then all's fine?
just to update this. we have set apache not to log that page. the user is instantly redirected to the confirmation page. it all happens under ssl and within an iframe so nothing visible is shown in the address bar.
theoretically a savvy user could watch the headers whilst making his purchase to see what kind of data is being sent back and forth. that would give him access to the authorisation number for his purchase. however without our secret encryption key, that auth number is useless to him.