protected void Page_Load(object sender, EventArgs e) { try { if (Request.QueryString["username"] != null && Request.QueryString["username"] != string.Empty && Request.QueryString["token"] != null && Request.QueryString["token"] != string.Empty) { txtUsername.Value = Request.QueryString["username"]; string strUsername = Request.QueryString["username"]; string strToken = Request.QueryString["token"]; string strHashedTokenDb = ""; bool blnHashesEqual = false; // Get the hashed token in the database SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString()); conn.Open(); string qry = "SELECT R.Token_Hash FROM Data.ResetTokens AS R JOIN Data.Employee AS E ON R.Person_ID = E.Person_ID WHERE E.Username = @username AND R.Token_Used = 0 AND DATEDIFF(millisecond, R.Expiration_Date, GETDATE()) < 0"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar); usernameParam.Value = strUsername; cmd.Parameters.Add(usernameParam); SqlDataReader sdr = cmd.ExecuteReader(); if (sdr.Read()) { strHashedTokenDb = sdr["Token_Hash"].ToString().Trim(); // Compare to query string token hash string strHashedToken = HashSalt.GenerateHashString(strToken); if (strHashedToken.Equals(strHashedTokenDb)) { blnHashesEqual = true; } } else { // Token is already used or expired // Or user does not have an tokens Response.Redirect("reset.aspx?type=invalidToken"); } cmd.Dispose(); conn.Close(); } if (blnHashesEqual == false) { // Invalid token Response.Redirect("reset.aspx?type=invalidToken"); } } else { // No username or token provided Response.Redirect("reset.aspx?type=invalidToken"); } } catch (Exception ex) { Response.Write(ex.Message); } }
private void sendResetEmail(int intID, string strUsername, string strEmail) { string strToken = generateToken(); string strHashedToken = HashSalt.GenerateHashString(strToken); // Mark any existing tokens and used markExistingTokens(); // Store the hashed token in database SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString()); conn.Open(); string qry = "INSERT into Data.ResetTokens(Person_ID, Token_Hash, Expiration_Date, Token_Used) VALUES(@id, @tokenhash, '" + DateTime.Now.AddHours(3) + "', '0')"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var idParam = new SqlParameter("@id", System.Data.SqlDbType.Int); idParam.Value = intID; cmd.Parameters.Add(idParam); var tokenHashParam = new SqlParameter("@tokenhash", System.Data.SqlDbType.Char); tokenHashParam.Value = strHashedToken; cmd.Parameters.Add(tokenHashParam); cmd.ExecuteNonQuery(); cmd.Dispose(); conn.Close(); } SmtpSection section = (SmtpSection)ConfigurationManager.GetSection("system.net/mailSettings/smtp"); MailMessage mailMessage = new MailMessage(section.Network.UserName, strEmail); string templatePath = HttpRuntime.AppDomainAppPath + "/emailResetTemplate.html"; StreamReader sr = new StreamReader(templatePath); string strEmailBody = sr.ReadToEnd(); sr.Close(); // Replace the template placeholder variables strEmailBody = strEmailBody.Replace("[strUsername]", strUsername); strEmailBody = strEmailBody.Replace("[actionURL]", ConfigurationManager.AppSettings["mainURL"] + "resetPassword?username="******"&token=" + strToken); strEmailBody = strEmailBody.Replace("[mainURL]", ConfigurationManager.AppSettings["mainURL"]); mailMessage.IsBodyHtml = true; mailMessage.Body = strEmailBody; mailMessage.Subject = "Reset Your Password"; SmtpClient smtpClient = new SmtpClient(); smtpClient.Send(mailMessage); }