Stop a session being overwritten

Question

I have a piece of code that generates a random number between 1 and 1000. It then stores that number as a session. You will then receive an email with the number from the session printed into a form and submit it but the problem is whenever you submit a form (there's two on the page) it refreshes the random number and resets the session making your code invalid. How could i stop this?

Below is my current problem;

HTML

    <form action="cantaccess.asp" method="post">
         <p>Email:<input type="text" name="inputtedEmail" value="" /></p>
         <input type="submit" name="submitEmail" value="submit" />
    </form>

    <form action="cantaccess.asp" method="post">
         <p>Code:<input type="text" name="inputtedCode" value="" /></p>
         <input type="submit" name="submitCode" value="submit" />
    </form>

ASP

    'Declares the variable for the random number which will be sent and stored
    Dim uniqueCode

    'initialising the randomize generator
    Randomize()

    'genarating a random number between 1 and 1000
    uniqueCode = CInt(Int((1000*Rnd()) + 1))

    'writing it out for testing purposes
    response.write(uniqueCode)

    'store it as a session to save the code when the form is submitted
    Session("generatedCode") = uniqueCode
    Session.Timeout= 1

Answer 1

I think the main problem you have is that after session timeout (standard 20 minutes) you do not have access to the sent random number because you only store it in a session variable.

The only way now for a user to get acces to your page is when he receives the email with the "code" within the session timeout value AND revisits your site during that time.

You will have to persist that number and the according email address in some other way (e.g. database).

If You really want to implement it the way as you describe the solution for You would be to check if the form field "inputted" value exists. If it exists you must not generate the random number.

if request.form("inputted") <> "" and isnumeric(request.form("inputted")) and request.form("inputted") >= 1 and request.form("inputted") <= 1000 then
    if request.form("inputted") =  Session("generatedCode") then
        ' the session value and the inputted value are equal but you are not sure that the user you sent the code has entered it in your form!
    end if
else
    'generate random number and store it and send email
end if

Another thought: Do You check the inputted random number against the email-address you sent it to? Otherwise I could try to fill out the form and put in some number and get access to the forbidden page without ever receiving an email with the "code". 1000 possibilities are not that much.

Answer 2

If request.form("submitEmail") = "submit" then
 '## Your code for generate random number
Else
 '## Your code for verify previously generated random number
End If