I think the main problem you have is that after session timeout (standard 20 minutes) you do not have access to the sent random number because you only store it in a session variable.
The only way now for a user to get acces to your page is when he receives the email with the "code" within the session timeout value AND revisits your site during that time.
You will have to persist that number and the according email address in some other way (e.g. database).
If You really want to implement it the way as you describe the solution for You would be to check if the form field "inputted" value exists. If it exists you must not generate the random number.
if request.form("inputted") <> "" and isnumeric(request.form("inputted")) and request.form("inputted") >= 1 and request.form("inputted") <= 1000 then
if request.form("inputted") = Session("generatedCode") then
' the session value and the inputted value are equal but you are not sure that the user you sent the code has entered it in your form!
end if
else
'generate random number and store it and send email
end if
Another thought: Do You check the inputted random number against the email-address you sent it to? Otherwise I could try to fill out the form and put in some number and get access to the forbidden page without ever receiving an email with the "code". 1000 possibilities are not that much.