Hosted Payment Page, non-iframe, tying refId to transId?
The Hosted Payment Page, when used as a redirect, does not return the merchant transaction ID (refId) to the final success page.
It does send the Authorize.Net ID (transId) to the appropriate registered webhook(s). But it does not send the refId there, so there appears to be no way to tie the two together - the merchant ID and the gateway ID.
I realise there is some front-end magic that can be done with iframes, but that being handled at the front end feels kind of dangerous. It's not signed, and could be manipulated to switch transactions by someone with ill intent.
One way I was thinking, was to use the notification URI to send the refId to the notification handler, since a unique notification URI can be supplied for every transaction, and it is signed before it is passed to the user for redirection.
Is this a technique people use, or is there another way I am missing?