This could just be my configuration. When I click cancel in the payment flow I do not get a session cookie. This means the user has no session so we trust the transaction id in the query string. We were assuming the session would be consistent throughout the flow, not having a session is kind of a mess. For the moment I'm making it optional until this bug can be solved and we can go back to using sessions.