How to make a secure call asp.net mvc

[saifobeidat]

Hi,

I checked the Documentation and the attached sample, and I concluded that all you need is to submit a form with the necessary data:

      <form method=“post” action=“https://sbcheckout.payfort.com/FortAPI/paymentPage” id=“form1” name=“form1”> 

     <input type='hidden' name='signature' value="<%=signature %>"  />

      <input type='hidden' name='service_command' value='' />

      <input type='hidden' name='access_code' value='' /> 

      <input type='hidden' name='merchant_identifier' value='' /> 

      <input type='hidden' name='merchant_reference' value="" /> 

      <input type='hidden' name='language' value='' />

     <input type='hidden' name='return_url' value="" />

     <button type="submit">Submit</button>

     </form>

This works perfectly and it redirects me to https://sbcheckout.payfort.com/FortAPI/paymentPage?S=1&#no-back-button and from that point I can proceed successfully in the payment process, But my issue is that I think this is insecure once all data is exposed. so I decided to call this form from a c# controller so I can hide some data like access code.

   public ActionResult pay()
          {
        var newdata = "command=PURCHASE&access_code=AccessCodeHere&merchant_identifier=testSXfzYX&merchant_reference=MyReference125201923859PM&customer_email=emailishere@test.com&amount=35000&currency=JOD&language=ar&return_url=http://domain.com/umbraco/surface/FortResponse/working&signature=1235testest64179b0517b85d991ceb1d6f076437ae191603cbe1e479";
        byte[] dataBytes = Encoding.UTF8.GetBytes(newdata);

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://sbcheckout.payfort.com/FortAPI/paymentPage");
        request.AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate;
        request.ContentLength = dataBytes.Length;
        request.ContentType = "application/x-www-form-urlencoded";
        request.Method = "POST";
        request.AllowAutoRedirect = true;

        using (Stream requestBody = request.GetRequestStream())
        {
            requestBody.Write(dataBytes, 0, dataBytes.Length);
        }

        using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
        using (Stream stream = response.GetResponseStream())

        using (StreamReader reader = new StreamReader(stream))
        {
            //response.Close();
            return reader.ReadToEnd();
        }

    }

I tried to execute the method that makes the submission process but unfortunately it keeps redirecting me to http://localhost:9445/umbraco/surface/payment/pay#no-back-button rather than https://sbcheckout.payfort.com

Yes I know it opens the expected screen but with a wrong URL which causes errors when I try to proceed in payment, see below image:

I am using Asp.net MVC, any help would be appreciated.

Thanks !

[MohammadHananny]

hello saif, In MVC the URL used will always be based on the Action. If you are doing a post, and want to show the user a detail page after the post, use this:

https://en.wikipedia.org/wiki/Post/Redirect/Get

also this will prevent duplicate purchase from your side.

any other query or more details please send email to: integration@payfort.com to proceed with your ticket.

Thanks

[AhmedHeasat]

Hi @MohammadHananny ,

We're using https://docs.payfort.com/docs/api/build/index.html#redirection to handle the payment process, we have set the return_url, which will be open to the customer once the payment is done. but the main issue, that the return URL will be called only after the user click on ( Back to merchant button ) , so we can't track and capture the payment status before the user click the button. isn't there a notification URL or something similar which will be hit immediately once the payment succeed or failed.

[MohammadHananny]

please contact integration@payfort.com to help you on this

[GosamaB]

@saifobeidat @AhmedHeasat I'm facing the same issue, did you figure out the solution ?