a payment gateway we are trying out returns full details of the operation in the response URL as _GET parametres. including the authorisation number from the bank and encrypted hash (to check data has not been tampered with).
on the page it is returned to i simply process these and then 301 to the confirmation page.
all of it is under SSL.
is there any reason why this shouldn't be secure? the reason i ask is that normally i am used to capturing _POST params with curl or similar.
surely as long as everything is under SSL and after processing the order I redirect to the confirmation page, then all's fine?
thanks for help