1

I have code like this

<html>
<head>
    <title></title>
</head>
<body>
    <%
        Function GetGUID()
            GetGUID = CreateObject("Scriptlet.TypeLib").GUID
        End Function

        if Request.ServerVariables("REQUEST_METHOD") = "POST" then
            if session("token") = cstr(Request.Form("csrftoken")) then
                response.write("Same")
            else
                response.write("different")
            end if

        else
            dim token
            token = GetGUID()
            session("token")=token
        end if
    %>
    <form method="post" action="test.asp">
        <input type="text" name="nama" placeholder="Input name">
        <input type="submit" value="submit">
        <input type="hidden" value="<%= session("token") %>" name="csrftoken">
    </form>
</body>
</html>

But when I click the submit button, different always be printed. I'am very sure that those variable(session & csrftoken) have the same value, because I already check that via printing those variable.

UPDATE

Thanks all for all your help, the problem is fixed now. It's because GUID that return null-terminated string. For reference you can see here: Link. Thanks Lankymart for the reference :)

Community
  • 1
  • 1
Kim
  • 1,081
  • 2
  • 12
  • 17
  • 1
    Perhaps a whitespace issue? Try putting both variables between `_` when printing them. – Ansgar Wiechers May 18 '16 at 15:11
  • Okay, let me try that – Kim May 18 '16 at 15:14
  • There are no white space problem, but I dont know. Why after I print the session variable, I cant concatenate it with "_". This is my code: http://pastebin.com/NDp1jSAP – Kim May 18 '16 at 15:21
  • If you can't concatenate it it's probably not a string in the first place. Try `CStr(session("token")) = CStr(Request.Form("csrftoken"))`. – Ansgar Wiechers May 18 '16 at 15:23
  • already tried that. The session object still can't concatenate with "_". The request form is fine, I can concatenate it with "_". Here is my new paste: http://pastebin.com/mrkgyzca – Kim May 18 '16 at 15:26
  • Then there is something not right with the `Session("token")` variable where is it set, can you check the `VarType()` maybe? – user692942 May 18 '16 at 15:33
  • In the else section. So when my page is load, the session("token") will be initialized. Both have 8 value of vartype – Kim May 18 '16 at 15:34
  • 1
    I think the problem is from CreateObject("Scriptlet.TypeLib").GUID – Kim May 18 '16 at 15:39
  • I think that is a fair assessment, you sure `.GUID` returns a string and not an `Object`? Maybe this will help [How to generate a GUID in VBScript?](http://stackoverflow.com/a/968767/692942) – user692942 May 18 '16 at 15:41
  • @Lankymart honestly I dont know what GUID returns, I used that only for generate some unique number. I refer to this article: http://stackoverflow.com/questions/6421417/howto-implement-synchronizer-token-pattern-in-classic-asp – Kim May 18 '16 at 15:44
  • 1
    Ohhhhh I seee thanks @Lankymart for the reference – Kim May 18 '16 at 15:45

1 Answers1

0

Do not ask me WHY, but there are 2 chars at the end of your CreateObject("Scriptlet.TypeLib").GUID which are somehow lost when pushing it through as post. I will update this answer as soon as I find out more, but for now, you could just compare all the "real" chars, by making a left of the session variable by the length of the request variable. like this:

    if left(session("token"), len(Request.Form("csrftoken"))) = Request.Form("csrftoken")then

Also: you can use trim instead of cstr. It implies a cstr and trims the string.

Edit: So the "Why" part got answered in the question linked by @Lankymart. Thanks!

LukasKroess
  • 125
  • 2
  • 13
  • For reference - [How to generate a GUID in VBScript?](http://stackoverflow.com/a/968767/692942) explains the NULL terminator and the weird behaviour it can cause. – user692942 May 18 '16 at 15:47