protected void Page_Load(object sender, EventArgs e) { try { if (Request.QueryString["username"] != null && Request.QueryString["username"] != string.Empty && Request.QueryString["token"] != null && Request.QueryString["token"] != string.Empty) { txtUsername.Value = Request.QueryString["username"]; string strUsername = Request.QueryString["username"]; string strToken = Request.QueryString["token"]; string strHashedTokenDb = ""; bool blnHashesEqual = false; // Get the hashed token in the database SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString()); conn.Open(); string qry = "SELECT R.Token_Hash FROM Data.ResetTokens AS R JOIN Data.Employee AS E ON R.Person_ID = E.Person_ID WHERE E.Username = @username AND R.Token_Used = 0 AND DATEDIFF(millisecond, R.Expiration_Date, GETDATE()) < 0"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar); usernameParam.Value = strUsername; cmd.Parameters.Add(usernameParam); SqlDataReader sdr = cmd.ExecuteReader(); if (sdr.Read()) { strHashedTokenDb = sdr["Token_Hash"].ToString().Trim(); // Compare to query string token hash string strHashedToken = HashSalt.GenerateHashString(strToken); if (strHashedToken.Equals(strHashedTokenDb)) { blnHashesEqual = true; } } else { // Token is already used or expired // Or user does not have an tokens Response.Redirect("reset.aspx?type=invalidToken"); } cmd.Dispose(); conn.Close(); } if (blnHashesEqual == false) { // Invalid token Response.Redirect("reset.aspx?type=invalidToken"); } } else { // No username or token provided Response.Redirect("reset.aspx?type=invalidToken"); } } catch (Exception ex) { Response.Write(ex.Message); } }
protected void btnSubmit_Click(object sender, EventArgs e) { try { // Hide new user message if showing if (strType != "") { message.InnerText = "Incorrect username or password entered."; message.Attributes.Add("class", message.Attributes["class"].ToString().Replace("message", "invalidInput")); message.Style["display"] = "none"; } string strUsername = Request.Form["txtUsername"]; string strEnteredPassword = Request.Form["txtPassword"]; conn.Open(); string qry = "SELECT * FROM Data.Employee WHERE Username = @username"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar); usernameParam.Value = strUsername; cmd.Parameters.Add(usernameParam); SqlDataReader sdr = cmd.ExecuteReader(); if (sdr.Read()) { string strHash = sdr["Password"].ToString(); string strSalt = sdr["Salt"].ToString(); // Check if password hashes and salt match bool passwordMatches = HashSalt.VerifySaltedHash(strEnteredPassword, strHash.Trim(), strSalt.Trim()); if (passwordMatches) { // Sign-in successful Session["User_ID"] = sdr["Person_ID"]; FormsAuthentication.SetAuthCookie(sdr["Username"].ToString(), false); cmd.Dispose(); conn.Close(); Response.Redirect("Home.aspx"); } else { // Incorrect password cmd.Dispose(); conn.Close(); message.Style["display"] = "block"; } } else { // Username not found cmd.Dispose(); conn.Close(); message.Style["display"] = "block"; } } } catch (Exception ex) { Response.Write(ex.Message); } }
protected void btnSubmitNewUser_Click(object sender, EventArgs e) { try { string strFirstName = Request.Form["txtFirstName"]; string strMiddleName = Request.Form["txtMiddleName"]; string strLastName = Request.Form["txtLastName"]; int intEmployeeID = Convert.ToInt32(Request.Form["txtEmployeeID"]); string strUsername = Request.Form["txtUsername"]; bool blnActive; string strPassword = Request.Form["txtPassword"]; string strEmail = Request.Form["txtEmail"]; string strDepartment = Request.Form["sltDepartment"]; SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString()); conn.Open(); // Add hash password HashSalt hashSalt = HashSalt.GenerateSaltedHash(32, strPassword); string hashParam = hashSalt.Hash; // Add salt string saltParam = hashSalt.Salt; blnActive = cbEmployeeStatus.Checked; Shared.InsertNewEmployee(strFirstName, strMiddleName, strLastName, strUsername, hashParam, saltParam, blnActive, intEmployeeID, strEmail, strDepartment); conn.Close(); Response.Redirect("signIn.aspx?type=newUser"); } catch (Exception ex) { Response.Write(ex.Message); } }
protected void btnResetPassword_Click(object sender, EventArgs e) { try { string strPassword = Request.Form["txtPassword"]; string strUsername = Request.Form["txtUsername"]; SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString()); conn.Open(); string qry = "UPDATE Data.Employee SET Password = @hash, Salt = @salt WHERE Username = @username"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar); usernameParam.Value = strUsername; cmd.Parameters.Add(usernameParam); // Add hash password HashSalt hashSalt = HashSalt.GenerateSaltedHash(32, strPassword); var hashParam = new SqlParameter("@hash", System.Data.SqlDbType.Char); hashParam.Value = hashSalt.Hash; cmd.Parameters.Add(hashParam); // Add salt var saltParam = new SqlParameter("@salt", System.Data.SqlDbType.Char); saltParam.Value = hashSalt.Salt; cmd.Parameters.Add(saltParam); SqlDataReader sdr = cmd.ExecuteReader(); conn.Close(); } // Mark token as used conn.Open(); qry = "UPDATE Data.ResetTokens SET Data.ResetTokens.Token_Used = 1 FROM Data.ResetTokens AS R JOIN Data.Employee AS E ON R.Person_ID = E.Person_ID WHERE E.Username = @username"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar); usernameParam.Value = strUsername; cmd.Parameters.Add(usernameParam); SqlDataReader sdr = cmd.ExecuteReader(); } conn.Close(); // Redirect to succesful reset page Response.Redirect("reset.aspx?type=resetPasswordSuccess"); } catch (Exception ex) { Response.Write(ex.Message); } }
private void sendResetEmail(int intID, string strUsername, string strEmail) { string strToken = generateToken(); string strHashedToken = HashSalt.GenerateHashString(strToken); // Mark any existing tokens and used markExistingTokens(); // Store the hashed token in database SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString()); conn.Open(); string qry = "INSERT into Data.ResetTokens(Person_ID, Token_Hash, Expiration_Date, Token_Used) VALUES(@id, @tokenhash, '" + DateTime.Now.AddHours(3) + "', '0')"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var idParam = new SqlParameter("@id", System.Data.SqlDbType.Int); idParam.Value = intID; cmd.Parameters.Add(idParam); var tokenHashParam = new SqlParameter("@tokenhash", System.Data.SqlDbType.Char); tokenHashParam.Value = strHashedToken; cmd.Parameters.Add(tokenHashParam); cmd.ExecuteNonQuery(); cmd.Dispose(); conn.Close(); } SmtpSection section = (SmtpSection)ConfigurationManager.GetSection("system.net/mailSettings/smtp"); MailMessage mailMessage = new MailMessage(section.Network.UserName, strEmail); string templatePath = HttpRuntime.AppDomainAppPath + "/emailResetTemplate.html"; StreamReader sr = new StreamReader(templatePath); string strEmailBody = sr.ReadToEnd(); sr.Close(); // Replace the template placeholder variables strEmailBody = strEmailBody.Replace("[strUsername]", strUsername); strEmailBody = strEmailBody.Replace("[actionURL]", ConfigurationManager.AppSettings["mainURL"] + "resetPassword?username="******"&token=" + strToken); strEmailBody = strEmailBody.Replace("[mainURL]", ConfigurationManager.AppSettings["mainURL"]); mailMessage.IsBodyHtml = true; mailMessage.Body = strEmailBody; mailMessage.Subject = "Reset Your Password"; SmtpClient smtpClient = new SmtpClient(); smtpClient.Send(mailMessage); }
public static HashSalt GenerateSaltedHash(int size, string strPassword) { var saltBytes = new byte[size]; var provider = new RNGCryptoServiceProvider(); provider.GetNonZeroBytes(saltBytes); string strSalt = Convert.ToBase64String(saltBytes); string strSaltHash = GenerateHashString(strPassword + strSalt); HashSalt hashSalt = new HashSalt { Hash = strSaltHash, Salt = strSalt }; return(hashSalt); }
protected void btnResetCredentials_Click(object sender, EventArgs e) { try { string strFirstName = Request.Form["txtFirstName"]; string strLastName = Request.Form["txtLastName"]; string strEmail = Request.Form["txtEmail"]; string strUsername = ""; string qry = ""; SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString()); conn.Open(); if (Request.Form["txtUsername"] != "") { // Forgot password strUsername = Request.Form["txtUsername"]; qry = "SELECT * FROM Data.Employee WHERE First_Name = @firstname AND Last_Name = @lastname AND Email = @email AND Username = @username"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var firstNameParam = new SqlParameter("@firstname", System.Data.SqlDbType.VarChar); firstNameParam.Value = strFirstName; cmd.Parameters.Add(firstNameParam); var lastNameParam = new SqlParameter("@lastname", System.Data.SqlDbType.VarChar); lastNameParam.Value = strLastName; cmd.Parameters.Add(lastNameParam); var emailParam = new SqlParameter("@email", System.Data.SqlDbType.VarChar); emailParam.Value = strEmail; cmd.Parameters.Add(emailParam); var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar); usernameParam.Value = strUsername; cmd.Parameters.Add(usernameParam); SqlDataReader sdr = cmd.ExecuteReader(); if (sdr.Read()) { // Matching user found int intID = (int)sdr["Person_ID"]; strUsername = sdr["Username"].ToString(); // Send reset password email sendResetEmail(intID, strUsername, strEmail); } cmd.Dispose(); conn.Close(); } } else if (Request.Form["txtPassword"] != "") { // Forgot username string strEnteredPassword = Request.Form["txtPassword"]; qry = "SELECT * FROM Data.Employee WHERE First_Name = @firstname AND Last_Name = @lastname AND Email = @email"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var firstNameParam = new SqlParameter("@firstname", System.Data.SqlDbType.VarChar); firstNameParam.Value = strFirstName; cmd.Parameters.Add(firstNameParam); var lastNameParam = new SqlParameter("@lastname", System.Data.SqlDbType.VarChar); lastNameParam.Value = strLastName; cmd.Parameters.Add(lastNameParam); var emailParam = new SqlParameter("@email", System.Data.SqlDbType.VarChar); emailParam.Value = strEmail; cmd.Parameters.Add(emailParam); SqlDataReader sdr = cmd.ExecuteReader(); if (sdr.Read()) { // Matching user found strUsername = sdr["Username"].ToString(); string strHash = sdr["Password"].ToString(); string strSalt = sdr["Salt"].ToString(); // Check if password hashes and salt match bool passwordMatches = HashSalt.VerifySaltedHash(strEnteredPassword, strHash, strSalt); if (passwordMatches) { // Send forgot username email if password is correct sendForgotUsernameEmail(strUsername, strEmail); } } cmd.Dispose(); conn.Close(); } } // Redirect to email sent page // This displays for invalid credentials as well so malicious users are not able to find valid usernames to attack Response.Redirect("reset.aspx?type=resetEmailSent"); } catch (Exception ex) { Response.Write(ex.Message); } }