If the success variable you are counting comes in from the URL then it is not a secure method of authenticating the transaction as a user could just visit the same page with the URL parameter set correctly to bypass the transaction process.
If you store the cart summary and details in your db you can use some type of order identifier that is passed back to repopulate the cart from a recordset that is filtered on the identifier that would be passed back. You could store your own identifier in a cookie and when the user is returned filter a recordset based on that identifier in the cookie. This will give you a recordset that you could then use to populate the cart.
Once the user leaves the site you will not have access to the session variables but you can access cookies that are not expired. You can have this implemented in just about any way you are comfortable with but unless you get some type of secure response from the bank confirming the status of the transaction you will not be able to confirm the status of the transaction with any certainty.