Cookie problem in VB.Net

Discussion in 'ASP .Net' started by anoop, Nov 18, 2007.

  1. anoop

    anoop Guest

    hello,
    I am writing the Following coding for preventing Session Fixation
    attack in ASP.Net website, but I could not retrieve the cookie added and the
    value of

    cookie_value remains blank.

    ----------------------------------------------------------

    Imports System.Web.UI.WebControls
    Imports System.Web.HttpResponse
    Imports System.Security.Cryptography


    Public Class AntiFixation
    Inherits System.Web.UI.Page


    #Region " Web Form Designer Generated Code "

    'This call is required by the Web Form Designer.
    <System.Diagnostics.DebuggerStepThrough()> Private Sub
    InitializeComponent()

    End Sub
    Protected WithEvents TextBox1 As System.Web.UI.WebControls.TextBox

    'NOTE: The following placeholder declaration is required by the Web Form
    Designer.
    'Do not delete or move it.
    Private designerPlaceholderDeclaration As System.Object

    Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Init
    'CODEGEN: This method call is required by the Web Form Designer
    'Do not modify it using the code editor.
    InitializeComponent()
    End Sub

    #End Region

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Load
    'Put user code to initialize the page here
    End Sub
    Private Function RandomString(ByVal l)
    Dim value, i, r
    Randomize()
    For i = 0 To l
    r = Int(Rnd * 62)
    If r < 10 Then
    r = r + 48
    ElseIf r < 36 Then
    r = (r - 10) + 65
    Else
    r = (r - 10 - 26) + 97
    End If
    value = value & Chr(r)
    Next
    RandomString = value
    End Function

    ' This routine should be called after the user has been authenticated.
    ' It is expected that the session has been invalidated prior to this call.
    Public Sub AntiFixationInit()

    Dim value
    value = RandomString(10)

    Dim cookie1 As HttpCookie


    cookie1 = New HttpCookie("CLoginSessionID", value)

    cookie1.Path = "http://demotemp259.nic.in/"

    cookie1.Value = value

    HttpContext.Current.Response.Cookies.Add(cookie1)

    Session("LoginSessionID") = value

    End Sub



    Public Sub AntiFixationVerify(ByVal LoginPage)
    Dim session_value
    Dim cookie_value as HttpCookie

    If (Not (cookie_value Is Nothing)) Then
    cookie_value =
    HttpContext.Current.Request.Cookies("CLoginSessionID")
    Session("cooki") = cookie_value.values
    Dim val
    If (Not (cookie_value Is Nothing)) Then
    val = cookie_value
    End If

    End If
    session_value = Session("LoginSessionID")

    If (Not (HttpContext.Current.Request.Cookies("CLoginSessionID") Is
    Nothing)) Then

    If Trim(cookie_value) <> Trim(session_value) Then
    HttpContext.Current.Response.Redirect(LoginPage)
    End If

    End If
    End Sub


    End Class


    Please help me , how to get the value of cookie - cookie_value

    Thank you
     
    anoop, Nov 18, 2007
    #1
    1. Advertising

  2. anoop

    Riki Guest

    The cookie path is the path on the client, so
    cookie1.Path = "http://demotemp259.nic.in/"
    will not work.

    Riki

    anoop wrote:
    > hello,
    > I am writing the Following coding for preventing Session
    > Fixation attack in ASP.Net website, but I could not retrieve the
    > cookie added and the value of
    >
    > cookie_value remains blank.
    >
    > ----------------------------------------------------------
    >
    > Imports System.Web.UI.WebControls
    > Imports System.Web.HttpResponse
    > Imports System.Security.Cryptography
    >
    >
    > Public Class AntiFixation
    > Inherits System.Web.UI.Page
    >
    >
    > #Region " Web Form Designer Generated Code "
    >
    > 'This call is required by the Web Form Designer.
    > <System.Diagnostics.DebuggerStepThrough()> Private Sub
    > InitializeComponent()
    >
    > End Sub
    > Protected WithEvents TextBox1 As System.Web.UI.WebControls.TextBox
    >
    > 'NOTE: The following placeholder declaration is required by the
    > Web Form Designer.
    > 'Do not delete or move it.
    > Private designerPlaceholderDeclaration As System.Object
    >
    > Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Init
    > 'CODEGEN: This method call is required by the Web Form Designer
    > 'Do not modify it using the code editor.
    > InitializeComponent()
    > End Sub
    >
    > #End Region
    >
    > Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Load
    > 'Put user code to initialize the page here
    > End Sub
    > Private Function RandomString(ByVal l)
    > Dim value, i, r
    > Randomize()
    > For i = 0 To l
    > r = Int(Rnd * 62)
    > If r < 10 Then
    > r = r + 48
    > ElseIf r < 36 Then
    > r = (r - 10) + 65
    > Else
    > r = (r - 10 - 26) + 97
    > End If
    > value = value & Chr(r)
    > Next
    > RandomString = value
    > End Function
    >
    > ' This routine should be called after the user has been
    > authenticated. ' It is expected that the session has been
    > invalidated prior to this call. Public Sub AntiFixationInit()
    >
    > Dim value
    > value = RandomString(10)
    >
    > Dim cookie1 As HttpCookie
    >
    >
    > cookie1 = New HttpCookie("CLoginSessionID", value)
    >
    > cookie1.Path = "http://demotemp259.nic.in/"
    >
    > cookie1.Value = value
    >
    > HttpContext.Current.Response.Cookies.Add(cookie1)
    >
    > Session("LoginSessionID") = value
    >
    > End Sub
    >
    >
    >
    > Public Sub AntiFixationVerify(ByVal LoginPage)
    > Dim session_value
    > Dim cookie_value as HttpCookie
    >
    > If (Not (cookie_value Is Nothing)) Then
    > cookie_value =
    > HttpContext.Current.Request.Cookies("CLoginSessionID")
    > Session("cooki") = cookie_value.values
    > Dim val
    > If (Not (cookie_value Is Nothing)) Then
    > val = cookie_value
    > End If
    >
    > End If
    > session_value = Session("LoginSessionID")
    >
    > If (Not
    > (HttpContext.Current.Request.Cookies("CLoginSessionID") Is Nothing))
    > Then
    >
    > If Trim(cookie_value) <> Trim(session_value) Then
    > HttpContext.Current.Response.Redirect(LoginPage)
    > End If
    >
    > End If
    > End Sub
    >
    >
    > End Class
    >
    >
    > Please help me , how to get the value of cookie - cookie_value
    >
    > Thank you


    --
    Riki
     
    Riki, Nov 19, 2007
    #2
    1. Advertising

  3. anoop

    anoop Guest

    Hello,
    After changing the Path, will the code work?
    thank you
    "Riki" wrote:

    > The cookie path is the path on the client, so
    > cookie1.Path = "http://demotemp259.nic.in/"
    > will not work.
    >
    > Riki
    >
    > anoop wrote:
    > > hello,
    > > I am writing the Following coding for preventing Session
    > > Fixation attack in ASP.Net website, but I could not retrieve the
    > > cookie added and the value of
    > >
    > > cookie_value remains blank.
    > >
    > > ----------------------------------------------------------
    > >
    > > Imports System.Web.UI.WebControls
    > > Imports System.Web.HttpResponse
    > > Imports System.Security.Cryptography
    > >
    > >
    > > Public Class AntiFixation
    > > Inherits System.Web.UI.Page
    > >
    > >
    > > #Region " Web Form Designer Generated Code "
    > >
    > > 'This call is required by the Web Form Designer.
    > > <System.Diagnostics.DebuggerStepThrough()> Private Sub
    > > InitializeComponent()
    > >
    > > End Sub
    > > Protected WithEvents TextBox1 As System.Web.UI.WebControls.TextBox
    > >
    > > 'NOTE: The following placeholder declaration is required by the
    > > Web Form Designer.
    > > 'Do not delete or move it.
    > > Private designerPlaceholderDeclaration As System.Object
    > >
    > > Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    > > System.EventArgs) Handles MyBase.Init
    > > 'CODEGEN: This method call is required by the Web Form Designer
    > > 'Do not modify it using the code editor.
    > > InitializeComponent()
    > > End Sub
    > >
    > > #End Region
    > >
    > > Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    > > System.EventArgs) Handles MyBase.Load
    > > 'Put user code to initialize the page here
    > > End Sub
    > > Private Function RandomString(ByVal l)
    > > Dim value, i, r
    > > Randomize()
    > > For i = 0 To l
    > > r = Int(Rnd * 62)
    > > If r < 10 Then
    > > r = r + 48
    > > ElseIf r < 36 Then
    > > r = (r - 10) + 65
    > > Else
    > > r = (r - 10 - 26) + 97
    > > End If
    > > value = value & Chr(r)
    > > Next
    > > RandomString = value
    > > End Function
    > >
    > > ' This routine should be called after the user has been
    > > authenticated. ' It is expected that the session has been
    > > invalidated prior to this call. Public Sub AntiFixationInit()
    > >
    > > Dim value
    > > value = RandomString(10)
    > >
    > > Dim cookie1 As HttpCookie
    > >
    > >
    > > cookie1 = New HttpCookie("CLoginSessionID", value)
    > >
    > > cookie1.Path = "http://demotemp259.nic.in/"
    > >
    > > cookie1.Value = value
    > >
    > > HttpContext.Current.Response.Cookies.Add(cookie1)
    > >
    > > Session("LoginSessionID") = value
    > >
    > > End Sub
    > >
    > >
    > >
    > > Public Sub AntiFixationVerify(ByVal LoginPage)
    > > Dim session_value
    > > Dim cookie_value as HttpCookie
    > >
    > > If (Not (cookie_value Is Nothing)) Then
    > > cookie_value =
    > > HttpContext.Current.Request.Cookies("CLoginSessionID")
    > > Session("cooki") = cookie_value.values
    > > Dim val
    > > If (Not (cookie_value Is Nothing)) Then
    > > val = cookie_value
    > > End If
    > >
    > > End If
    > > session_value = Session("LoginSessionID")
    > >
    > > If (Not
    > > (HttpContext.Current.Request.Cookies("CLoginSessionID") Is Nothing))
    > > Then
    > >
    > > If Trim(cookie_value) <> Trim(session_value) Then
    > > HttpContext.Current.Response.Redirect(LoginPage)
    > > End If
    > >
    > > End If
    > > End Sub
    > >
    > >
    > > End Class
    > >
    > >
    > > Please help me , how to get the value of cookie - cookie_value
    > >
    > > Thank you

    >
    > --
    > Riki
    >
    >
    >
     
    anoop, Nov 19, 2007
    #3
  4. anoop

    Riki Guest

    anoop wrote:
    > Hello,
    > After changing the Path, will the code work?
    > thank you


    Why don't you try it and let us know?
    We can't do the testing for you.

    I suggest not setting the path at all, let ASP.NET do it for you.

    Riki

    > "Riki" wrote:
    >
    >> The cookie path is the path on the client, so
    >> cookie1.Path = "http://demotemp259.nic.in/"
    >> will not work.
    >>
    >> Riki
    >>
    >> anoop wrote:
    >>> hello,
    >>> I am writing the Following coding for preventing Session
    >>> Fixation attack in ASP.Net website, but I could not retrieve the
    >>> cookie added and the value of
    >>>
    >>> cookie_value remains blank.
    >>>
    >>> ----------------------------------------------------------
    >>>
    >>> Imports System.Web.UI.WebControls
    >>> Imports System.Web.HttpResponse
    >>> Imports System.Security.Cryptography
    >>>
    >>>
    >>> Public Class AntiFixation
    >>> Inherits System.Web.UI.Page
    >>>
    >>>
    >>> #Region " Web Form Designer Generated Code "
    >>>
    >>> 'This call is required by the Web Form Designer.
    >>> <System.Diagnostics.DebuggerStepThrough()> Private Sub
    >>> InitializeComponent()
    >>>
    >>> End Sub
    >>> Protected WithEvents TextBox1 As
    >>> System.Web.UI.WebControls.TextBox
    >>>
    >>> 'NOTE: The following placeholder declaration is required by the
    >>> Web Form Designer.
    >>> 'Do not delete or move it.
    >>> Private designerPlaceholderDeclaration As System.Object
    >>>
    >>> Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    >>> System.EventArgs) Handles MyBase.Init
    >>> 'CODEGEN: This method call is required by the Web Form
    >>> Designer 'Do not modify it using the code editor.
    >>> InitializeComponent()
    >>> End Sub
    >>>
    >>> #End Region
    >>>
    >>> Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    >>> System.EventArgs) Handles MyBase.Load
    >>> 'Put user code to initialize the page here
    >>> End Sub
    >>> Private Function RandomString(ByVal l)
    >>> Dim value, i, r
    >>> Randomize()
    >>> For i = 0 To l
    >>> r = Int(Rnd * 62)
    >>> If r < 10 Then
    >>> r = r + 48
    >>> ElseIf r < 36 Then
    >>> r = (r - 10) + 65
    >>> Else
    >>> r = (r - 10 - 26) + 97
    >>> End If
    >>> value = value & Chr(r)
    >>> Next
    >>> RandomString = value
    >>> End Function
    >>>
    >>> ' This routine should be called after the user has been
    >>> authenticated. ' It is expected that the session has been
    >>> invalidated prior to this call. Public Sub AntiFixationInit()
    >>>
    >>> Dim value
    >>> value = RandomString(10)
    >>>
    >>> Dim cookie1 As HttpCookie
    >>>
    >>>
    >>> cookie1 = New HttpCookie("CLoginSessionID", value)
    >>>
    >>> cookie1.Path = "http://demotemp259.nic.in/"
    >>>
    >>> cookie1.Value = value
    >>>
    >>> HttpContext.Current.Response.Cookies.Add(cookie1)
    >>>
    >>> Session("LoginSessionID") = value
    >>>
    >>> End Sub
    >>>
    >>>
    >>>
    >>> Public Sub AntiFixationVerify(ByVal LoginPage)
    >>> Dim session_value
    >>> Dim cookie_value as HttpCookie
    >>>
    >>> If (Not (cookie_value Is Nothing)) Then
    >>> cookie_value =
    >>> HttpContext.Current.Request.Cookies("CLoginSessionID")
    >>> Session("cooki") = cookie_value.values
    >>> Dim val
    >>> If (Not (cookie_value Is Nothing)) Then
    >>> val = cookie_value
    >>> End If
    >>>
    >>> End If
    >>> session_value = Session("LoginSessionID")
    >>>
    >>> If (Not
    >>> (HttpContext.Current.Request.Cookies("CLoginSessionID") Is Nothing))
    >>> Then
    >>>
    >>> If Trim(cookie_value) <> Trim(session_value) Then
    >>> HttpContext.Current.Response.Redirect(LoginPage)
    >>> End If
    >>>
    >>> End If
    >>> End Sub
    >>>
    >>>
    >>> End Class
    >>>
    >>>
    >>> Please help me , how to get the value of cookie - cookie_value
    >>>
    >>> Thank you

    >>
    >> --
    >> Riki


    --
    Riki
     
    Riki, Nov 19, 2007
    #4
  5. anoop

    anoop Guest

    Thank you

    "Riki" wrote:

    > anoop wrote:
    > > Hello,
    > > After changing the Path, will the code work?
    > > thank you

    >
    > Why don't you try it and let us know?
    > We can't do the testing for you.
    >
    > I suggest not setting the path at all, let ASP.NET do it for you.
    >
    > Riki
    >
    > > "Riki" wrote:
    > >
    > >> The cookie path is the path on the client, so
    > >> cookie1.Path = "http://demotemp259.nic.in/"
    > >> will not work.
    > >>
    > >> Riki
    > >>
    > >> anoop wrote:
    > >>> hello,
    > >>> I am writing the Following coding for preventing Session
    > >>> Fixation attack in ASP.Net website, but I could not retrieve the
    > >>> cookie added and the value of
    > >>>
    > >>> cookie_value remains blank.
    > >>>
    > >>> ----------------------------------------------------------
    > >>>
    > >>> Imports System.Web.UI.WebControls
    > >>> Imports System.Web.HttpResponse
    > >>> Imports System.Security.Cryptography
    > >>>
    > >>>
    > >>> Public Class AntiFixation
    > >>> Inherits System.Web.UI.Page
    > >>>
    > >>>
    > >>> #Region " Web Form Designer Generated Code "
    > >>>
    > >>> 'This call is required by the Web Form Designer.
    > >>> <System.Diagnostics.DebuggerStepThrough()> Private Sub
    > >>> InitializeComponent()
    > >>>
    > >>> End Sub
    > >>> Protected WithEvents TextBox1 As
    > >>> System.Web.UI.WebControls.TextBox
    > >>>
    > >>> 'NOTE: The following placeholder declaration is required by the
    > >>> Web Form Designer.
    > >>> 'Do not delete or move it.
    > >>> Private designerPlaceholderDeclaration As System.Object
    > >>>
    > >>> Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    > >>> System.EventArgs) Handles MyBase.Init
    > >>> 'CODEGEN: This method call is required by the Web Form
    > >>> Designer 'Do not modify it using the code editor.
    > >>> InitializeComponent()
    > >>> End Sub
    > >>>
    > >>> #End Region
    > >>>
    > >>> Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    > >>> System.EventArgs) Handles MyBase.Load
    > >>> 'Put user code to initialize the page here
    > >>> End Sub
    > >>> Private Function RandomString(ByVal l)
    > >>> Dim value, i, r
    > >>> Randomize()
    > >>> For i = 0 To l
    > >>> r = Int(Rnd * 62)
    > >>> If r < 10 Then
    > >>> r = r + 48
    > >>> ElseIf r < 36 Then
    > >>> r = (r - 10) + 65
    > >>> Else
    > >>> r = (r - 10 - 26) + 97
    > >>> End If
    > >>> value = value & Chr(r)
    > >>> Next
    > >>> RandomString = value
    > >>> End Function
    > >>>
    > >>> ' This routine should be called after the user has been
    > >>> authenticated. ' It is expected that the session has been
    > >>> invalidated prior to this call. Public Sub AntiFixationInit()
    > >>>
    > >>> Dim value
    > >>> value = RandomString(10)
    > >>>
    > >>> Dim cookie1 As HttpCookie
    > >>>
    > >>>
    > >>> cookie1 = New HttpCookie("CLoginSessionID", value)
    > >>>
    > >>> cookie1.Path = "http://demotemp259.nic.in/"
    > >>>
    > >>> cookie1.Value = value
    > >>>
    > >>> HttpContext.Current.Response.Cookies.Add(cookie1)
    > >>>
    > >>> Session("LoginSessionID") = value
    > >>>
    > >>> End Sub
    > >>>
    > >>>
    > >>>
    > >>> Public Sub AntiFixationVerify(ByVal LoginPage)
    > >>> Dim session_value
    > >>> Dim cookie_value as HttpCookie
    > >>>
    > >>> If (Not (cookie_value Is Nothing)) Then
    > >>> cookie_value =
    > >>> HttpContext.Current.Request.Cookies("CLoginSessionID")
    > >>> Session("cooki") = cookie_value.values
    > >>> Dim val
    > >>> If (Not (cookie_value Is Nothing)) Then
    > >>> val = cookie_value
    > >>> End If
    > >>>
    > >>> End If
    > >>> session_value = Session("LoginSessionID")
    > >>>
    > >>> If (Not
    > >>> (HttpContext.Current.Request.Cookies("CLoginSessionID") Is Nothing))
    > >>> Then
    > >>>
    > >>> If Trim(cookie_value) <> Trim(session_value) Then
    > >>> HttpContext.Current.Response.Redirect(LoginPage)
    > >>> End If
    > >>>
    > >>> End If
    > >>> End Sub
    > >>>
    > >>>
    > >>> End Class
    > >>>
    > >>>
    > >>> Please help me , how to get the value of cookie - cookie_value
    > >>>
    > >>> Thank you
    > >>
    > >> --
    > >> Riki

    >
    > --
    > Riki
    >
    >
    >
     
    anoop, Nov 19, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ben
    Replies:
    3
    Views:
    5,895
    Steven Cheng[MSFT]
    Jun 3, 2004
  2. Shapper

    Cookie and Session Cookie Questions.

    Shapper, Apr 27, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    589
  3. =?Utf-8?B?UGF1bA==?=

    Cookie Question (IP as domain and cookie file location)

    =?Utf-8?B?UGF1bA==?=, Jan 10, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    2,502
    Bruce Barker
    Jan 10, 2006
  4. =?Utf-8?B?TnVubw==?=

    Convert a PHP cookie to an ASP.NET cookie

    =?Utf-8?B?TnVubw==?=, Jan 31, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    452
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=
    Jan 31, 2006
  5. william

    System.Net.Cookie vs System.Web.Cookie

    william, Apr 11, 2008, in forum: ASP .Net Security
    Replies:
    4
    Views:
    1,290
    Dominick Baier
    Apr 14, 2008
Loading...

Share This Page