public static bool verifyUser(string username, string password, string loginType)
        {
            DataTable result = null;

            try
            {
                using (SqlConnection conPrintDB = new SqlConnection(ConfigurationManager.ConnectionStrings["printDBServer"].ConnectionString))
                {
                    string strSelect = null;
                    if (loginType.Equals(ROLE_STAFF))
                    {
                        strSelect = "select StaffPassword As Password, StaffSalt As Salt from CompanyStaff where StaffEmail = @uname";
                    }
                    else
                    {
                        strSelect = "select CustomerPassword As Password, CustomerSalt As Salt from Customer where CustomerEmail = @uname";
                    }


                    using (SqlCommand cmdSelect = new SqlCommand(strSelect, conPrintDB))
                    {
                        cmdSelect.Parameters.AddWithValue("@uname", username);

                        using (SqlDataAdapter da = new SqlDataAdapter(cmdSelect))
                        {
                            result = new DataTable();
                            da.Fill(result);
                        }

                        //retrieve password info
                        byte[] storedPassword = (byte[])result.Rows[0]["Password"];
                        byte[] storedSalt     = (byte[])result.Rows[0]["Salt"];

                        //hash password from textbox
                        byte[] hashedPassword = ClassHashing.generateSaltedHash(password, storedSalt);

                        //compare the password and return the result
                        return(ClassHashing.CompareByteArrays(storedPassword, hashedPassword));
                    }
                }
            }
            catch (Exception ex)
            {
                throw new Exception(ex.ToString());
            }
        }
        public static string activateStaff(string verificationCode)
        {
            DataTable result = null;

            byte[] emptyByte = { 0, 0 };
            try
            {
                using (SqlConnection conPrintDB = new SqlConnection(ConfigurationManager.ConnectionStrings["printDBServer"].ConnectionString))
                {
                    string strSelect = null;

                    strSelect = "select StaffID, StaffNRIC, StaffSalt from CompanyStaff where StaffPassword = @password";


                    using (SqlCommand cmdSelect = new SqlCommand(strSelect, conPrintDB))
                    {
                        cmdSelect.Parameters.AddWithValue("@password", emptyByte);

                        using (SqlDataAdapter da = new SqlDataAdapter(cmdSelect))
                        {
                            result = new DataTable();
                            da.Fill(result);
                        }

                        //convert verification code to byte array
                        byte[] codeByte = Convert.FromBase64String(verificationCode);

                        for (int i = 0; i < result.Rows.Count; i++)
                        {
                            string staffID   = (string)result.Rows[i]["StaffID"];
                            string staffNRIC = (string)result.Rows[i]["StaffNRIC"];
                            byte[] staffSalt = (byte[])result.Rows[i]["StaffSalt"];
                            if (ClassHashing.CompareByteArrays(ClassHashing.generateSaltedHash(staffID + staffNRIC, staffSalt), codeByte))
                            {
                                return(staffID);
                            }
                        }
                        return(null);
                    }
                }
            }
            catch (Exception ex)
            {
                throw new Exception(ex.ToString());
            }
        }
 public static string getVerificationCode(string text, byte[] salt)
 { //verification code is generated by combining staff id and NRIC and random salt;
     return(Convert.ToBase64String(ClassHashing.generateSaltedHash(text, salt)));
 }
Exemple #4
0
        protected void btnSubmit_Click(object sender, EventArgs e)
        {
            SqlConnection conPrintDB;
            string        connStr = ConfigurationManager.ConnectionStrings["printDBServer"].ConnectionString;

            conPrintDB = new SqlConnection(connStr);
            conPrintDB.Open();
            try
            {
                string     strInsert;
                SqlCommand cmdInsert;

                strInsert = "Insert Into CompanyStaff (StaffName, StaffEmail, StaffPassword, StaffNRIC, StaffDOB, StaffPhoneNo, StaffSalt, StaffRole, CompanyID) Values (@staffName, @staffEmail,@staffPassword, @staffNRIC, @staffDOB, @staffPhoneNo, @staffSalt, @staffRole, @companayID); SELECT MAX(StaffID) from CompanyStaff where StaffName=@staffName and StaffPhoneNo=@staffPhoneNo";

                byte[] generatedSalt = ClassHashing.generateSalt();
                byte[] hashPassword  = { 0, 0 };//empty password when checkbox for password setting is not checked

                if (chkPassSet.Checked)
                {
                    hashPassword = ClassHashing.generateSaltedHash(txtPassword.Text, generatedSalt);
                }
                cmdInsert = new SqlCommand(strInsert, conPrintDB);
                cmdInsert.Parameters.AddWithValue("@staffName", txtName.Text);
                cmdInsert.Parameters.AddWithValue("@staffEmail", txtEmail.Text);
                cmdInsert.Parameters.AddWithValue("@staffPassword", hashPassword);
                cmdInsert.Parameters.AddWithValue("@staffNRIC", txtNRIC.Text);
                cmdInsert.Parameters.AddWithValue("@staffDOB", cldBOD.SelectedDate);
                cmdInsert.Parameters.AddWithValue("@staffPhoneNo", txtPhoneNo.Text);
                cmdInsert.Parameters.AddWithValue("@staffSalt", generatedSalt);
                cmdInsert.Parameters.AddWithValue("@staffRole", UserVerification.ROLE_STAFF);
                cmdInsert.Parameters.AddWithValue("@companayID", Request.Cookies["CompanyID"].Value);

                var staffID = cmdInsert.ExecuteScalar();

                if (!chkPassSet.Checked)
                {
                    string     strSelect = "SELECT CompanyName FROM Company WHERE CompanyID = @companyID";
                    SqlCommand cmdSelect = new SqlCommand(strSelect, conPrintDB);
                    cmdSelect.Parameters.AddWithValue("@companyID", Request.Cookies["CompanyID"].Value);
                    var companyName = cmdSelect.ExecuteScalar();

                    string verificationCode = UserVerification.getVerificationCode(staffID + txtNRIC.Text, generatedSalt);
                    //then it will generate a url to activate the account and send it to the staff
                    string     verificationLink = DOMAIN_NAME + Page.ResolveUrl("~/StaffAccountActivation.aspx?VC=" + HttpUtility.UrlEncode(verificationCode));
                    string     emailContent     = EmailClass.populateActivationEmail((string)companyName, verificationLink);// content of the email
                    EmailClass emailClass       = new EmailClass(txtEmail.Text, "Staff Account Activation", emailContent, true);

                    if (EmailClass.isCredentialed())
                    {
                        EmailCredential credential = (EmailCredential)Session["EmailCredential"];
                        emailClass.sendEmail(credential);
                    }
                    else
                    {
                        Session["tempEmail"] = emailClass;
                        Response.Redirect(ResolveUrl("~/Staff/VerifyEmail.aspx?ReturnURL=" + Request.Url.AbsoluteUri));
                    }
                }

                lblError.Text = "Successfully added";
            }
            catch (Exception ex)
            {
                lblError.Text = "An error occured when register staff :" + ex.ToString();
            }
            finally
            {
                conPrintDB.Close();
            }
        }