public ActionResult Login(AuthLoginForm form, string returnUrl) { Debug.WriteLine(string.Format("POST: Auth Controller: Login")); #region Check if Inputs are Valid if (!DB_users.ValidateUsername(form.Username)) { ModelState.AddModelError("Username", "Username contains invalid characters"); } if (!ModelState.IsValid) { return(View(form)); } #endregion var user = Database.Session.Query <DB_users>().FirstOrDefault(u => u.username == form.Username); // Prevent Timing Attacks if (user == null) { DB_users.FakeHash(); } // Check Password and add Model error if incorrect if (user == null || !user.CheckPassword(form.Password)) { ModelState.AddModelError("Username", "Username or Password is incorrect"); } if (!ModelState.IsValid) { return(View(form)); } FormsAuthentication.SetAuthCookie(user.username, true); if (!string.IsNullOrWhiteSpace(returnUrl)) { return(Redirect(returnUrl)); } return(RedirectToRoute("home")); }