I am currently working on a project where payment gateway integration is required, this questions is a general security questions regardless of what payment gateway provider I am using,
As far as I know most payment gateway require to pass a unique reference no and return URL parameters to payment request URL, and then payment gateway will send back response to the return URL passed along with reference no and other parameters, My questions is what if my user manually call the return URL with the parameters to fake the system like its a genuine response from IPG,
usually I have to check the unique reference no that came from response is matching the one i sent which is stored in session,
however my question is what if my user pass the unique reference no as well? since it is passed as hidden field and still visible in browser source prior to IPG request URL is called?