protected void SubmitButton_Click(object sender, EventArgs e)
{
try
{
bool checkId = HospitalClass.sqlProtect(UserIdBox.Text); //security for user id input against sqlInjection
bool checkPwd = HospitalClass.sqlProtect(PasswordBox.Text); //security for password input against sqlInjection
if (UserIdBox.Text.Length != 0 && checkId && checkPwd)
{
string passwordQuery = DataProvider.LoginPage.PasswordQuery(UserIdBox.Text.ToUpper().Trim());
DataTable dt = HospitalClass.getDataTable(passwordQuery);
if (dt.Rows.Count > 0)
{
string encryptPassword = HospitalClass.Encrypt(PasswordBox.Text);
int checkPassword = 0;
string userIdPass = "";
foreach (DataRow row in dt.Rows)
{
if (encryptPassword == row[0].ToString()) //check if password correlate
{
checkPassword = 1;
userIdPass = row[1].ToString(); //check first name repetition
}
userId = row[1].ToString();
if (userIdPass.Length > 0)
{
userId = userIdPass;
}
}
if (Session["SuperUser"] != null)
{
updaterId = (string)Session["SuperUser"];
}
else if (Session["Admin"] != null)
{
updaterId = (string)Session["Admin"];
}
else
{
updaterId = userId;
}
bool rights;
if (userId.StartsWith("ADM") || userId.StartsWith("SUP"))
{
rights = false;
}
else
{
rights = true;
}
//for either a basic user or a privileged user
if ((Session["SuperUser"] != null || Session["Admin"] != null || (checkPassword == 1 && rights)) || (!rights && checkPassword == 1))
{
bool auditTrailValidator = false;
string oldUser = ""; //to check the access of an administrator or a superuser
if (Session["SuperUser"] != null)
{
oldUser = Session["SuperUser"].ToString();
}
else if (Session["Admin"] != null)
{
oldUser = Session["Admin"].ToString();
}
Session["User"] = userId;
//using linq to datasets to query the datatable (to guard against two users with the same first name)
Session["FirstName"] = (from FirstName in dt.AsEnumerable()
where FirstName.Field <string>("USER_ID") == userId
select FirstName.Field <string>("FIRST_NAME")).First().ToString();
Session["RegStatus"] = (from Status in dt.AsEnumerable()
where Status.Field <string>("USER_ID") == userId
select Status.Field <string>("STATUS")).First().ToString();
//login for users
if ((Session["SuperUser"] != null || Session["Admin"] != null || checkPassword == 1) && rights)
{
if (userId.StartsWith("PAT"))
{
updateCode = "PAT_LGN";
}
else if (userId.StartsWith("DC"))
{
updateCode = "DOC_LGN";
}
else
{
updateCode = "STF_LGN";
};
Response.Redirect("~/LoggedInPage.aspx", false);
auditTrailValidator = true;
}
//login for admin and superuser
else if (!rights && checkPassword == 1)
{
if (userId.StartsWith("SUP"))
{
Session["SuperUser"] = userId;
updateCode = "SUP_LGN";
}
else
{
Session["Admin"] = userId;
updateCode = "ADM_LGN";
}
Response.Redirect("~/LoggedInPage.aspx", false);
auditTrailValidator = true;
}
//extraneous login for superuser and administrator
else
{
//to catch unauthorized access to another privileged user's account
if ((Session["SuperUser"] != null && !userId.StartsWith("SUP")) || oldUser == userId) //for privileged user relogin
{
Session["User"] = userId;
if (oldUser == userId)
{
Session["Info"] = "Welcome Back";
}
if (userId.ToUpper().StartsWith("ADM"))
{
updateCode = "ADM_LGN";
}
else
{
updateCode = "SUP_LGN";
}
Response.Redirect("~/LoggedInPage.aspx", false);
auditTrailValidator = true;
}
else
{
StatusLabel.Text = "You do not have access to this profile";
if (oldUser.StartsWith("SUP"))
{
Session["User"] = Session["SuperUser"].ToString();
}
else
{
Session["User"] = Session["Admin"].ToString();
}
auditTrailValidator = false;
}
}
if (auditTrailValidator)
{
object[] values = new object[4];
values[0] = (HospitalClass.getTransactionId());
values[1] = (updateCode);
values[2] = (updaterId);
values[3] = (userId);
int status = DataConsumer.executeProc("audit_trail_proc", values);
}
}
else
{
if (PasswordBox.Text.Length == 0)
{
StatusLabel.Text = "Please enter your password";
}
else
{
StatusLabel.Text = "Wrong user Id/password combination.<br/>Note: Password is case-sensitive.";
}
}
}
else
{
StatusLabel.Text = "You are not a user on our database. Please register.";
}
}
else
{
if (UserIdBox.Text.Length == 0)
{
StatusLabel.Text = "Please enter your user id, first name or email address";
}
else if (!checkId)
{
StatusLabel.Text = "Unsecure user Id";
}
else
{
StatusLabel.Text = "Unsecure password";
}
}
}
catch (Exception ex)
{
StatusLabel.Text = "Error: " + ex.Message;
HospitalClass.Log(ex);
//ex.Logger();
}
}