The protocol calls for a POST to an MPP URL, which then runs the user through the usual type of payment screens (credit card type, etc) and eventually POSTs back a yay or nay.
However, the data in the initial POST request includes no verification hash. So if I use a client-side redirect then in principle it is wide open to malicious tinkering at the client end before being passed on.
But if I do a server-side redirect, how will the user's browser know?
I'm sure I've had this problem before, but I forget how I solved it (if indeed I did).
I'm tempted just to go with the client-side redirect, because in practice nothing bad would probably happen. But this does involve money, and it is a clientco project. So I'd rather be professional about it, or at least alert the client if there is a chink in the armour, however slight.
None of the above is intended as any criticism of MPP - I only started on this mini-project today, and may have missed some aspect that makes the process completely secure.
