Trying to validate password in log in page

Question

0.00/5 (No votes)

See more:

Hello everyone,
I am trying to validate the user password against the one stored in the database. The problem is that is goes directly in the login2 page. Please give me detailed steps and i know that I am learning when responding. Is this a good approach or not? I need some solutions.
this is the code that i have in my aspx page

XML

<%@ Page Title="" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Login1.aspx.cs" Inherits="ExpressBookstore.Account.Login1" %>
<asp:Content  ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server" >
    <div id="login1">
    <p>
        <br />
        <asp:Label ID="Label1" runat="server" Text="UserName"></asp:Label>
        <asp:TextBox ID="txtUserName" runat="server" />
         <asp:RequiredFieldValidator runat="server" ControlToValidate="txtUserName" ErrorMessage="*" SetFocusOnError="true" />
    </p>
    <p>
        <asp:Label ID="Label2" runat="server" Text="Password" ></asp:Label>&nbsp
        <asp:TextBox ID="txtPassword" runat="server" TextMode="Password" ></asp:TextBox>
        <asp:RequiredFieldValidator runat="server" ControlToValidate="txtPassword" ErrorMessage="*" SetFocusOnError="true" />
    </p><asp:Label ID="lblerror" runat="server" />
    <p>
       <asp:CheckBox ID="CheckBox1" runat="server" />Remember me
    </p>
    <asp:Button ID="btnLogin" runat="server" Text="Login" OnClick="Button1_Click" OnClientClick="Button1_Click" CausesValidation="true" />
        <br />
        <br />
        <asp:Button ID="btnforget" runat="server" Text="Forget Password" OnClick="btnforget_Click" OnClientClick="btnforget_Click" />
    </div>
</asp:Content>

and this is the code in my .cs page

private string CreatePasswordHash(string password, string hash,string salt)
{
//MD5, SHA1

return FormsAuthentication.HashPasswordForStoringInConfigFile(password + hash + salt, "SHA1");

}

private string CreateSalt(int size)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte[] data = new byte[size];
provider.GetBytes(data);
return Convert.ToBase64String(data);
}

private string CreateHash(int size)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte[] hash = new byte[size];
provider.GetBytes(hash);
return Convert.ToBase64String(hash);
}

private string GetHash(string password)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte[] hash = new byte[5];
provider.GetBytes(hash);
return Convert.ToBase64String(hash);
}

protected void Button1_Click(object sender, EventArgs e)
{

//Define a Connection string
var connectionString = ConfigurationManager.ConnectionStrings["BookstoreConnectionString"].ToString();

//Open the connection
SqlConnection sqlConnection = new SqlConnection(connectionString);
sqlConnection.Open();

//Define the sqlcommand object and assign the commandType

SqlCommand sqlCommand = new SqlCommand("SELECT HashKey FROM Registration WHERE UserName = @UserName", sqlConnection);
SqlCommand sqlCommand1 = new SqlCommand("SELECT SaltKey FROM Registration WHERE UserName = @UserName", sqlConnection);

// sqlCommand.CommandType = CommandType.StoredProcedure;

sqlCommand.Parameters.AddWithValue("@UserName", txtUserName.Text.Trim());

SqlDataReader reader = sqlCommand.ExecuteReader();
reader.Read();
string dbHashKey = reader.GetString(0);
reader.Close();

sqlCommand1.Parameters.AddWithValue("@UserName", txtUserName.Text.Trim());

SqlDataReader reader1 = sqlCommand1.ExecuteReader();
reader1.Read();
string dbSaltKey = reader1.GetString(0);
reader1.Close();

// hash the password entered with the salt and compare it to the hashkey in the database

// var loginHash = CreateHash(5);

var loginHash = GetHash(txtPassword.Text.Trim());

if (dbHashKey == loginHash)
{
Response.Redirect("MembersOnly.aspx");
}
else
{
//Response.Write(" Please try again ! Invalid UserName or password ");
Response.Redirect("Login2.aspx");
}
}

protected void btnforget_Click(object sender, EventArgs e)
{
Response.Redirect("RetrievePassword.aspx");
}

Thank you

Posted 19-Aug-14 6:38am

Member 10737325

Add a Solution

Comments

ZurdoDev 19-Aug-14 12:48pm

Put a breakpoint in your code and then debug it. You can see exactly what is happening.

Member 10737325 20-Aug-14 10:26am

I did, but still can't solve it. I think the problem is in the function GetHash

ZurdoDev 20-Aug-14 10:35am

If you debugged it, what is the actual problem? What is happening?

Member 10737325 20-Aug-14 11:17am

Everything looks fine until i reach this line
var loginHash = GetHash(txtPassword.Text.Trim());
and it jumps to the non-login users page .

ZurdoDev 20-Aug-14 11:20am

Step into that function and make sure it has no problems.

[no name] 19-Aug-14 12:56pm

You are creating two queries when one query will do.
You need to debug your code and find out why your hashed values are different.

PhilLenoir 19-Aug-14 14:13pm

What's the data type of the stored hash? If it's a char then it may have trailing spaces which would fail a string comparison.

Member 10737325 19-Aug-14 23:50pm

it's varchar

PhilLenoir 20-Aug-14 9:02am

Why don't you use the ASP.NET login/Membership/Roles schema? It provides a rich set of classes for managing users and permissions and all the heavy lifting is done for you. You can configure to store plain text passwords or encrypted (I believe it defaults to encrypted.) By default it requires a SQL Server (SQL Express too) back end, but I think that you can configure to use other back-ends.

Member 10737325 20-Aug-14 10:19am

Will try it out. Thank you

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2014-08-19T09:15:00

You should never ever store passwords in database. This is unsafe and absolutely not needed for authentication. Disagree? surprised? Then please read my past answers:
i already encrypt my password but when i log in it gives me an error. how can decrypte it[^],
Decryption of Encrypted Password[^],
storing password value int sql server with secure way[^].

With ASP.NET you have everything implemented for you:
Client-side: http://code.google.com/p/crypto-js[^].
Server-side, .NET: http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256%28v=vs.110%29.aspx[^].

But even this is not enough if you are not using HTTPS and transport-level security. The approach based on cryptographic hash will work perfectly: a malicious researcher can eavesdrop your communication and still won't be able to figure out your password. But such person can capture your hash itself and impersonate you without knowing you password. Even more vulnerable moment is the time when you first create a password. Transport-level security will protect you from such attacks.

Please see:
http://en.wikipedia.org/wiki/HTTPS[^],
http://en.wikipedia.org/wiki/Transport_Layer_Security[^].

—SA