how to call functions so that random value is generated

[anoop]

Hello,
I am writing the following code to prevent session fixation in all
the .aspx.cs file of the website as follows

protected void Page_Load(object sender, EventArgs e)
{

if (!IsPostBack)
{
Random rd = new Random();
int valnum = rd.Next();
// Session fixation
sessionFixation vfy = new sessionFixation();
vfy.AntiFixationInit(valnum);
vfy.AntiFixationVerify("../login.aspx");
}
else
{
Random rd = new Random();
int valnum = rd.Next();
// Session fixation
sessionFixation vfy = new sessionFixation();
vfy.AntiFixationInit(valnum);
vfy.AntiFixationVerify("../login.aspx");
}

}


Also I am writing the following code in sessionfixation.cs file


using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

public class sessionFixation
{
public void AntiFixationInit(int valnum)
{
int val=valnum;
HttpCookie cookie = null;
if (cookie == null)
{
cookie = new HttpCookie("ASPFIXATION");
}
else
{
cookie
=System.Web.HttpContext.Current.Request.Cookies["ASPFIXATION"];
}
cookie.Value = val.ToString();
cookie.Expires = DateTime.Now.AddSeconds(300);
System.Web.HttpContext.Current.Response.Cookies.Add(cookie);
}

public void AntiFixationVerify(string LoginPage)
{
HttpCookie cookie_value = null;
System.Text.StringBuilder sb = new System.Text.StringBuilder();
Object session_value = null;
if (cookie_value == null)
{
cookie_value =
System.Web.HttpContext.Current.Request.Cookies.Get ("ASPFIXATION");
if (cookie_value != null)
{
sb.Append(cookie_value.Value);
}
}
String str = sb.ToString();
if (str == null)
{
System.Web.HttpContext.Current.Response.Redirect(LoginPage);
}

}

Now I want to know that where do I will call the Session fixation prevention
functions, so that in each request of the .aspx page, the random value of
user defined cookie is different. I have already called the functions in
Page_Load . Do I have to call these functions in other events of Page Life
cycle also viz. Prerender, Render, SaveViewState etc?. Please help.

 

[Peter Duniho]

[...]
Now I want to know that where do I will call the Session fixation
prevention
functions, so that in each request of the .aspx page, the random value of
user defined cookie is different. I have already called the functions in
Page_Load . Do I have to call these functions in other events of Page
Life
cycle also viz. Prerender, Render, SaveViewState etc?. Please help.

You need to post your question in the ASP.NET newsgroup. There you should
find people actively writing ASP.NET applications and for whom your
question is within their experience.

That said, before you post your question there, you should fix some of the
more egregious mistakes in the code you posted:

-- Creating a new Random() instance each time you want a new random
number (use a static class member to hold a Random() instance you create
once during initialization)
-- Initializing a variable to "null" and then immediately testing to
see whether it's null (duh, of course it will be...you just set it to
"null"!)
-- Checking the value returned from StringBuilder.ToString() to see if
it's null; it will never be null...perhaps you meant to check it against
String.Empty or "" (the same thing)

Finally, I'm not an ASP.NET expert, but it seems to me that if you want
your anti-fixation code to do something useful, you have to save your
generated session ID value somewhere and use that to verify the next
client request when it comes in.

Pete