I am not getting the user id of particular user when user logins

Question

0.00/5 (No votes)

See more:

, +

I have created login screen in c# asp.net. The data is retrieved from the database of username and password. I am getting only one user but remaining user are not accessed that means returning back to login screen.

What I have tried:

Database Fields: Table Name: UserProfile

[UserID] UNIQUEIDENTIFIER CONSTRAINT [def_UserID] DEFAULT (newsequentialid()) NOT NULL,
[UserName]     VARCHAR (15)     NOT NULL,
[Password]     VARCHAR (MAX)    NULL,
[EmailAddress] VARCHAR (50)     NOT NULL,

Source Code for Login Button:

protected void lnkBtnLogin_Click(object sender, EventArgs e)
{
    con = new SqlConnection(ConfigurationManager.ConnectionStrings["DefaultConnection"].ConnectionString);
    con.Open();
    cmd = new SqlCommand("select * from UserProfile", con);
    sdr = cmd.ExecuteReader();

    string username = txtUsername.Value;
    string password = txtPassword.Value;

    cmd.Parameters.Add("@UserName", SqlDbType.VarChar, 15);
    cmd.Parameters.Add("@Password", SqlDbType.VarChar);
    cmd.Parameters["@UserName"].Value = username;
    cmd.Parameters["@Password"].Value = password;

    Session["username"] = username;

    while (sdr.Read())
    {
        // Accessing the Session UserID value to all the pages.
        Session["UserID"] = sdr["UserID"].ToString();

        if (sdr["UserName"].ToString() == username && sdr["Password"].ToString() == password)
        {
            Response.Redirect("Home.aspx");
        }

        else
        {
            Response.Write(@"<script>alert('" + errorMessage + "');</script>");
            Response.Redirect("Login.aspx");
        }
    }
    con.Close();
}

In this code the first user gets logged in successfully and redirects the page to Home and the remaining users if logged in then it automatically sends back to Login screen. The problem is exactly it is not considering the row username and password of user id. It only takes the first user id and keep logging in. Can anyone explain me where is the wrong

Posted 26-Mar-18 1:54am

Member 8583441

Updated 26-Mar-18 2:03am

Add a Solution

Comments

Richard Deeming 27-Mar-18 9:29am

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Richard Deeming 27-Mar-18 9:29am

And why are you re-inventing the wheel? ASP.NET has several perfectly good authentication systems built-in - for example, ASP.NET Identity[^]

Member 8583441 28-Mar-18 1:37am

This is for an example practice I made this code to work. But actually, I am working out in Hashing the Password with my own source code but not in this project.

Member 8583441 28-Mar-18 1:39am

I am developing another project of my own to practice a lot and i am a fresher so no idea about coding. I had 1 year of experience in this field of .Net Training.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

F-ES Sitecore · Accepted Answer · 2018-03-26T02:05:00

This is the sql you are executing

cmd = new SqlCommand("select * from UserProfile", con);
sdr = cmd.ExecuteReader();

You're getting all rows from the UserProfile table. For the first row you check if the username and password for that row matches what the user input and if it does it redirects to the home page and if it doesn't it redirects to the login page. A redirect stops the page executing so it's never going to get past the first row.

What you want to do is limit the sql to only retrieve the rows for the relevant user so you only need to do a password check. You add the username and password as params but don't use them. Something like;

cmd = new SqlCommand("select * from UserProfile where [Username]=@UserName and [Password]=@Password", con);

string username = txtUsername.Value;
string password = txtPassword.Value;

cmd.Parameters.Add("@UserName", SqlDbType.VarChar, 15);
cmd.Parameters.Add("@Password", SqlDbType.VarChar);
cmd.Parameters["@UserName"].Value = username;
cmd.Parameters["@Password"].Value = password;

sdr = cmd.ExecuteReader();

If you're doing logins like this just to learn then that's ok, but for any serious use you shouldn't store passwords in plain text, google for how to deal with password hashes and salt, there are plenty of articles out there that explain it.