Secure Stripe Payment

Question

I'm running a Stripe test payment on an ASP Net site. When the user is ready to pay they are FORWARDED to their gateway to collect card details.

Once they complete a successful payment they are returned to the success URL i set with the {SESSION_ID} variable alongside the URL i.e. www.example.com/success?session_id{Session_ID}.

I then process the payment by getting the session first

StripeConfiguration.ApiKey = "sk_test_123";

var service = new SessionService();
Checkout.Session sess service.Get("cs_test_4561");

I then find the payment from my database using the session id i saved and passed when the user checked out.

My concern is that through a web sniffer tool the Session ID can be picked up and you can pass that manually to the successURL.

I can add HTTPS to the site but is there anything else i could do to make this a little more difficult i.e. expire the Session ID after some time or have a value from Strip to confirm the payment is successful?

Edit 1:

My code behind to set the SessionCreateOptions

 var options = new SessionCreateOptions
            {
                PaymentMethodTypes = new List { "card", },
                LineItems = GetItems(),
                SuccessUrl = "www.example.com/success?session_id={CHECKOUT_SESSION_ID}",
                CancelUrl = "www.example.com/cancel",

                PaymentIntentData = new SessionPaymentIntentDataOptions
                {
                    Metadata = new Dictionary{
                        {"orderID","123"}
                    }
                },
                Mode="payment",
            };
 var service = new SessionService();
 Session session = service.Create(options);

When the user is returned back to the success page, i run this code to get the session i run the above code to get the Session but payment_intent is null if i type sess.PaymentIntent

Secure Stripe Payment

Answers (1)

Related Questions