Hello everyone,
I am trying to validate the user password against the one stored in the database. The problem is that is goes directly in the login2 page. Please give me detailed steps and i know that I am learning when responding. Is this a good approach or not? I need some solutions.
this is the code that i have in my aspx page
<%@ Page Title="" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Login1.aspx.cs" Inherits="ExpressBookstore.Account.Login1" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server" >
<div id="login1">
<p>
<br />
<asp:Label ID="Label1" runat="server" Text="UserName"></asp:Label>
<asp:TextBox ID="txtUserName" runat="server" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="txtUserName" ErrorMessage="*" SetFocusOnError="true" />
</p>
<p>
<asp:Label ID="Label2" runat="server" Text="Password" ></asp:Label> 
<asp:TextBox ID="txtPassword" runat="server" TextMode="Password" ></asp:TextBox>
<asp:RequiredFieldValidator runat="server" ControlToValidate="txtPassword" ErrorMessage="*" SetFocusOnError="true" />
</p><asp:Label ID="lblerror" runat="server" />
<p>
<asp:CheckBox ID="CheckBox1" runat="server" />Remember me
</p>
<asp:Button ID="btnLogin" runat="server" Text="Login" OnClick="Button1_Click" OnClientClick="Button1_Click" CausesValidation="true" />
<br />
<br />
<asp:Button ID="btnforget" runat="server" Text="Forget Password" OnClick="btnforget_Click" OnClientClick="btnforget_Click" />
</div>
</asp:Content>
and this is the code in my .cs page
private string CreatePasswordHash(string password, string hash,string salt)
{
//MD5, SHA1
return FormsAuthentication.HashPasswordForStoringInConfigFile(password + hash + salt, "SHA1");
}
private string CreateSalt(int size)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte[] data = new byte[size];
provider.GetBytes(data);
return Convert.ToBase64String(data);
}
private string CreateHash(int size)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte[] hash = new byte[size];
provider.GetBytes(hash);
return Convert.ToBase64String(hash);
}
private string GetHash(string password)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte[] hash = new byte[5];
provider.GetBytes(hash);
return Convert.ToBase64String(hash);
}
protected void Button1_Click(object sender, EventArgs e)
{
//Define a Connection string
var connectionString = ConfigurationManager.ConnectionStrings["BookstoreConnectionString"].ToString();
//Open the connection
SqlConnection sqlConnection = new SqlConnection(connectionString);
sqlConnection.Open();
//Define the sqlcommand object and assign the commandType
SqlCommand sqlCommand = new SqlCommand("SELECT HashKey FROM Registration WHERE UserName = @UserName", sqlConnection);
SqlCommand sqlCommand1 = new SqlCommand("SELECT SaltKey FROM Registration WHERE UserName = @UserName", sqlConnection);
// sqlCommand.CommandType = CommandType.StoredProcedure;
sqlCommand.Parameters.AddWithValue("@UserName", txtUserName.Text.Trim());
SqlDataReader reader = sqlCommand.ExecuteReader();
reader.Read();
string dbHashKey = reader.GetString(0);
reader.Close();
sqlCommand1.Parameters.AddWithValue("@UserName", txtUserName.Text.Trim());
SqlDataReader reader1 = sqlCommand1.ExecuteReader();
reader1.Read();
string dbSaltKey = reader1.GetString(0);
reader1.Close();
// hash the password entered with the salt and compare it to the hashkey in the database
// var loginHash = CreateHash(5);
var loginHash = GetHash(txtPassword.Text.Trim());
if (dbHashKey == loginHash)
{
Response.Redirect("MembersOnly.aspx");
}
else
{
//Response.Write("
Please try again ! Invalid UserName or password ");
Response.Redirect("Login2.aspx");
}
}
protected void btnforget_Click(object sender, EventArgs e)
{
Response.Redirect("RetrievePassword.aspx");
}
Thank you