protected void btnSubmitNewUser_Click(object sender, EventArgs e)
{
try {
string strFirstName = Request.Form["txtFirstName"];
string strMiddleName = Request.Form["txtMiddleName"];
string strLastName = Request.Form["txtLastName"];
int intEmployeeID = Convert.ToInt32(Request.Form["txtEmployeeID"]);
string strUsername = Request.Form["txtUsername"];
bool blnActive;
string strPassword = Request.Form["txtPassword"];
string strEmail = Request.Form["txtEmail"];
string strDepartment = Request.Form["sltDepartment"];
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString());
conn.Open();
// Add hash password
HashSalt hashSalt = HashSalt.GenerateSaltedHash(32, strPassword);
string hashParam = hashSalt.Hash;
// Add salt
string saltParam = hashSalt.Salt;
blnActive = cbEmployeeStatus.Checked;
Shared.InsertNewEmployee(strFirstName, strMiddleName, strLastName, strUsername, hashParam, saltParam, blnActive, intEmployeeID, strEmail, strDepartment);
conn.Close();
Response.Redirect("signIn.aspx?type=newUser");
} catch (Exception ex) {
Response.Write(ex.Message);
}
}
protected void btnResetPassword_Click(object sender, EventArgs e)
{
try {
string strPassword = Request.Form["txtPassword"];
string strUsername = Request.Form["txtUsername"];
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString());
conn.Open();
string qry = "UPDATE Data.Employee SET Password = @hash, Salt = @salt WHERE Username = @username";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar);
usernameParam.Value = strUsername;
cmd.Parameters.Add(usernameParam);
// Add hash password
HashSalt hashSalt = HashSalt.GenerateSaltedHash(32, strPassword);
var hashParam = new SqlParameter("@hash", System.Data.SqlDbType.Char);
hashParam.Value = hashSalt.Hash;
cmd.Parameters.Add(hashParam);
// Add salt
var saltParam = new SqlParameter("@salt", System.Data.SqlDbType.Char);
saltParam.Value = hashSalt.Salt;
cmd.Parameters.Add(saltParam);
SqlDataReader sdr = cmd.ExecuteReader();
conn.Close();
}
// Mark token as used
conn.Open();
qry = "UPDATE Data.ResetTokens SET Data.ResetTokens.Token_Used = 1 FROM Data.ResetTokens AS R JOIN Data.Employee AS E ON R.Person_ID = E.Person_ID WHERE E.Username = @username";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar);
usernameParam.Value = strUsername;
cmd.Parameters.Add(usernameParam);
SqlDataReader sdr = cmd.ExecuteReader();
}
conn.Close();
// Redirect to succesful reset page
Response.Redirect("reset.aspx?type=resetPasswordSuccess");
}
catch (Exception ex) {
Response.Write(ex.Message);
}
}