We are looking at possibly using Auth.net's DPM solution for our cc processing. The plan is to use asp.net mvc as the host application. Here are a few questions that I need answered.
1) Is there a way to pass in extra info to be passed back to the success page, such as productId and a security token?
2) On postback, will the request still be viewed as being withing the original user session, or will it spawn a new userless session?
A sample route might look like this: Payment/Success/{productId}
The handling action would make an entry into the local db associating the user with his newly purchased product, giving him online access to it. The problem I foresee is if a user who has not made an actual purchase learns the url and makes a static form page of his own, posts to our system, and get's free access. I'd like to make use of .net's SecurityTokens but am unsure if Auth.net postbacks are setup to include this information.
Thanks for any advice or tips you may have for me.