Problem/ Question on accomplishing bank payment the right way

First of all, sorry for a long post and also sorry for my English, my mother tung is Swedish.

In the checkout process (asp, ecart 4) I gather the necessary information about the customer (name.asp). Then after hitting "Ok", on the next page (payment.asp) the user can, besides review the order, choose his/her own bank from the 4 bank-logos and upon clicking on one of these the user is taken to his/her bank to pay online for the purchase, these logos are submitting a form with a bunch of hidden fields. This is the only way for me to do it, it's by the bank's rules for online payment's. This means that this very page is the last page that I can influence in any way before the transaction is to be taken place (or rejected by the customer or the bank). This means that I have the order sent upon clicking one of these bank-logos. This is too early. It could be that the user chances his/her mind before making the transaction at the bank or maybe the transaction simply fails for other reasons.

I have tried to make this kind of work by sending another mail to the store owner when the customer is taken to the "thank you" -page after a successful payment. This mail includes some information of the payment embedded in the address bar which I'm able to pass on in the mail.
This is obvious not satisfactory as every order that comes in has to be checked against another mail.

Now the store owner insists that the order is sent only after a bank transfer has taken place.

I guess this would have to be done by NOT emptying the cart upon clicking on the bank logo on (payment.asp) and that the order would be sent at the "thank you" -page after a successful bank-transfer and then the cart would be emptied. But how? Is this possible? The payment is made outside of the site, isn't the session lost? I know I am ;)

The fundamental issue at hand is getting a response from the bank that processed the transaction to confirm that he transaction has successfully occurred. If you are just sending the user to a thank you page then you are not able to confirm the status of the transaction and have no guarantee that it was successful.

This is usually handled by some type of secure post back from the bank. In this return post there should be a unique identifier for the order that will let you know what order the return post is for. The idea is that before you send the user off to the bank site you record the order in a database using the store order summary and store order details server behaviors. Then when the bank posts back with a successful transaction you would update this order record to indicate that it was successfully transacted. At that point you can send the user or store operator an email receipt to indicate the successful status.

Unless the banks have a way to post back the details like this it will not be possible for you to confirm that status of the transaction. Also, if the status is not posted back in real time you will not be able to indicate to the user the status at the time of the transaction, so sending them an email would be the only way to inform them.

This is obviously going to require further custom development on your behalf to implement, but you should start with any development guides you have for the banks to see if this type of post back is possible and determine how it is implemented.

Wow, sounds pretty challenging.

No way to do this using the session variable? I'm using cookie to store the session. I was wondering if it would be possible not to empty the cart upon leaving the site for the bank transfer. Then, back on the "thankyou -page", if the query string contains the right string telling that the transfer was successful (every bank has at least this feature) THEN I would send the order and empty the cart.

Wouldn't this be possible?

If the success variable you are counting comes in from the URL then it is not a secure method of authenticating the transaction as a user could just visit the same page with the URL parameter set correctly to bypass the transaction process.

If you store the cart summary and details in your db you can use some type of order identifier that is passed back to repopulate the cart from a recordset that is filtered on the identifier that would be passed back. You could store your own identifier in a cookie and when the user is returned filter a recordset based on that identifier in the cookie. This will give you a recordset that you could then use to populate the cart.

Once the user leaves the site you will not have access to the session variables but you can access cookies that are not expired. You can have this implemented in just about any way you are comfortable with but unless you get some type of secure response from the bank confirming the status of the transaction you will not be able to confirm the status of the transaction with any certainty.