ASP.net c# post form on users behalf

I have an ASP button开发者_运维知识库, when it is clicked it calls a function which adds order information into my database. The next step of the order process is to transfer the user over to the payment gateway with this form:

<form action="https://select-test.wp3.rbsworldpay.com/wcc/purchase" name="BuyForm" method="POST">
<input type="hidden" name="instId"  value="151711">
<input type="hidden" name="cartId" value="abc123">
<input type="hidden" name="currency" value="GBP">
<input type="hidden" name="amount"  value="1221">
<input type="hidden" name="desc" value="">
<input type="hidden" name="testMode" value="100">
<input type="submit" value="To Payment!">
</form>

However I really would like it so that the user:

Pressed order button -> Order function called -> User automatically passed to order page

As supposed to:

Pressed order button -> Order function called -> User goes to another page -> User manually clicks button to go to worldpay payment page

Is there anyway in c# to redirect the user to the order page, and submit form data with them?

You could redirect from the submit handler of the first order form:

Response.Redirect("https://select-test.wp3.rbsworldpay.com/wcc/purchase?instId=151711&cartId=abc123&currency=GBP&amount=1221&desc=&testMode=100");

Note that your form parameters are currently open to tampering, regardless of whether you submit via GET or POST. I'm sure that WorldPay have some security measures that you can use to prevent and/or detect tampering. You should use them!

Edit...

WorldPay allow you to submit a hash along with your payment parameters to help prevent tampering. This should stop any amateur querystring tampering; whether it can stop a determined attacker is another matter.

As you mentioned in the comments, you should definitely log the parameters at your end before submitting and then cross-reference them against the callback data to ensure that nothing has been touched.

You can use Response.Redirect("OtherPage.aspx"); at the end of your event handler. Using this method, you could append items to the query string (for example the order ID)... Response.Redirect("OtherPage.aspx?OrderID=abcdef");.

Alternatively, you could do the processing in the order page and list it as the PostbackUrl, so the first page posts back directly to the order page.

Multiple ways:

1) Put the order in Session state and carry it along with the user, automatically retrieving it when they are redirected to the final page.

2) Create a form which submits its data with the new page as the target (rather than posting back to itself as the default behavior in ASP.Net).

3) Generate a form with hidden fields and output it to the page.

In situations #2 and #3, you might choose to use client-side script to automatically submit the form.