protected void Page_Load(object sender, EventArgs e)
{
// Keep redirect
if (Request.Url.LocalPath != "/PasswordExpired.aspx")
{
{
if (Session["UserEmail"] != null)
{
AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client();
var current_user = client.GetOneUser(Session["UserEmail"].ToString());
if (current_user.PasswordAge < DateTime.Now)
{
if (Request.Url.LocalPath != "/ChangePassword.aspx")
{
Response.Redirect("PasswordExpired.aspx");
}
}
else
{
//Response.Write(current_user.PasswordAge + "Foo");
}
}
}
}
}
protected void Page_Load(object sender, EventArgs e)
{
if (Session["UserEmail"] == null)
{
Response.Redirect("~/Login.aspx");
}
else
{
AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client();
var current_user = client.GetOneUser(Session["UserEmail"].ToString());
var fn = current_user.FirstName;
var ln = current_user.LastName;
lbl_userPageTitle.Text = $"Welcome {fn} {ln}";
}
}
protected void btn_login_Click(object sender, EventArgs e)
{
// First Layer, check if attempts more than 3 for current session
// Second Layer, check if the account is locked
// Get our DB service
AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client();
if (ValidateCaptcha_v3())
{
// If Login Attempt < 3
if (Convert.ToInt32(Session["LoginAttempts"]) < 3)
{
string email = HttpUtility.HtmlEncode(tb_email.Text.ToString().Trim());
string pwd = HttpUtility.HtmlEncode(tb_password.Text.ToString().Trim());
SHA512Managed hashing = new SHA512Managed();
string dbHash = client.getDBHash(email);
string dbSalt = client.getDBSalt(email);
try
{
if (dbSalt != null && dbSalt.Length > 0 && dbHash != null && dbHash.Length > 0)
{
string pwdWithSalt = pwd + dbSalt;
byte[] hashWithSalt = hashing.ComputeHash(Encoding.UTF8.GetBytes(pwdWithSalt));
string userHash = Convert.ToBase64String(hashWithSalt);
if (userHash.Equals(dbHash))
{
if (client.GetOneUser(email).AccountLockExpiry < DateTime.Now)
{
client.RemoveAccountLockOut(email);
Session["UserEmail"] = email;
// Create a new GUID and save into the session
string guidToken = Guid.NewGuid().ToString();
Session["AuthCookie"] = guidToken;
// now create a new cookie with this guid value
Response.Cookies.Add(new HttpCookie("AuthCookie", guidToken));
Response.Redirect("UserPage.aspx", false);
}
else
{
lbl_loginErrMsg.Text = $"Your account has been temporarily locked due to multiple failed attempts,\n It will be available after {client.GetOneUser(email).AccountLockExpiry}";
lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red;
}
}
else
{
// When password is wrong, but we still provide a generic error message
lbl_loginErrMsg.Text = "Invalid Email or Password";
lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red;
Session["LoginAttempts"] = Convert.ToInt32(Session["LoginAttempts"]) + 1;
}
}
else
{
// When email is wrong
lbl_loginErrMsg.Text = "Invalid Email or Password";
lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red;
Session["LoginAttempts"] = Convert.ToInt32(Session["LoginAttempts"]) + 1;
//Response.Write(Session["LoginAttempts"].ToString());
}
}
catch (Exception ex)
{
throw new Exception(ex.ToString());
}
finally { }
}
// When there is no more login attempts available
else
{
lbl_loginErrMsg.Text = "You are temporarily locked from accessing the login system due to multiple failed attempts, try again later.";
var search_user = client.GetOneUser(tb_email.Text.Trim());
if (search_user != null)
{
client.SetAccountLockOut(search_user.Email);
//Response.Write($"SET LOG OUT FOR {search_user.FirstName} {search_user.LastName} {search_user.AccountLocked} {search_user.AccountLockExpiry}");
}
}
}
else
{
lbl_captchaScore.Text = "You did not pass the captcha validation";
}
}
protected void btn_submitChangePwd_Click(object sender, EventArgs e)
{
AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client();
var current_user = client.GetOneUser(Session["UserEmail"].ToString());
var new_password = HttpUtility.HtmlEncode(tb_changePwd.Text.Trim());
var pwdStrength = checkPassword(new_password);
if (pwdStrength != 5)
{
checkPasswordFeedback(new_password);
}
else
{
salt = current_user.PasswordSalt;
SHA512Managed hashing = new SHA512Managed();
string new_pwdWithSalt = new_password + salt;
byte[] newhashWithSalt = hashing.ComputeHash(Encoding.UTF8.GetBytes(new_pwdWithSalt));
var new_finalHash = Convert.ToBase64String(newhashWithSalt);
// If new password match old password
if (new_finalHash == current_user.PasswordHash)
{
lbl_resultMsg.Text = "Error, input same as your current password";
lbl_resultMsg.ForeColor = Color.Red;
return;
}
if (current_user.PasswordChangeCoolDown > DateTime.Now)
{
lbl_resultMsg.Text = "Error, you are not allowed to change passwords repeatedly in a short span of time";
lbl_resultMsg.ForeColor = Color.Red;
return;
}
else
{
// Test whether the salt value are the same
/* lbl_resultMsg.Text = $"{new_finalHash} | {current_user.PasswordHash}";
* lbl_resultMsg.ForeColor = Color.Red;*/
if (new_finalHash == current_user.PasswordHash_1 || new_finalHash == current_user.PasswordHash_2)
{
lbl_resultMsg.Text = "Error, you are not allowed to reuse recent passwords";
lbl_resultMsg.ForeColor = Color.Red;
}
else
{
client.ChangePassword(current_user.Email, new_finalHash, current_user.PasswordHash, current_user.PasswordHash_1, current_user.PasswordHash_2);
lbl_resultMsg.Text = "Password changed successfully";
lbl_resultMsg.ForeColor = Color.Green;
}
}
}
}
protected void btn_RegisterClick(object sender, EventArgs e)
{
lbl_fnFeedback.Visible = false;
lbl_lnFeedback.Visible = false;
lbl_pwdchecker.Visible = false;
lbl_emailFeedback.Visible = false;
lbl_dobFeedback.Visible = false;
lbl_cciFeedback.Visible = false;
bool parse_result;
long cciTest;
DateTime dob;
// Prevent XSS by sanitizing the user input with htmlencode
var firstName = HttpUtility.HtmlEncode(tb_firstName.Text.Trim());
var lastName = HttpUtility.HtmlEncode(tb_lastName.Text.Trim());
var password = HttpUtility.HtmlEncode(tb_password.Text.Trim());
var emailAddress = HttpUtility.HtmlEncode(tb_emailAddress.Text.Trim());
var creditCardInfo = HttpUtility.HtmlEncode(tb_creditCardInfo.Text.Trim());
var pwdStrength = checkPassword(password);
// Validation
var check = true;
if (Regex.IsMatch(firstName, "[^a-zA-z]"))
{
lbl_fnFeedback.Text = "Only uppercase and lowercase letters are allowed for name";
lbl_fnFeedback.ForeColor = Color.Red;
lbl_fnFeedback.Visible = true;
check = false;
}
if (Regex.IsMatch(lastName, "[^a-zA-z]"))
{
lbl_lnFeedback.Text = "Only uppercase and lowercase letters are allowed for name";
lbl_lnFeedback.ForeColor = Color.Red;
lbl_lnFeedback.Visible = true;
check = false;
}
if (firstName.Length == 0)
{
lbl_fnFeedback.Text = "Input required";
lbl_fnFeedback.ForeColor = Color.Red;
lbl_fnFeedback.Visible = true;
check = false;
}
if (lastName.Length == 0)
{
lbl_lnFeedback.Text = "Input required";
lbl_lnFeedback.ForeColor = Color.Red;
lbl_lnFeedback.Visible = true;
check = false;
}
if (emailAddress.Length == 0)
{
lbl_emailFeedback.Text = "Input required";
lbl_emailFeedback.ForeColor = Color.Red;
lbl_emailFeedback.Visible = true;
check = false;
}
parse_result = DateTime.TryParse(tb_dob.Text, out dob);
if (!parse_result)
{
lbl_dobFeedback.Text = "Birth Date is invalid!";
lbl_dobFeedback.ForeColor = Color.Red;
lbl_dobFeedback.Visible = true;
check = false;
}
if (tb_creditCardInfo.Text.Trim().Length != 16)
{
lbl_cciFeedback.Text = $"Invalid credit card details, 16 digits required {tb_creditCardInfo.Text.Trim().Length}";
lbl_cciFeedback.ForeColor = Color.Red;
lbl_cciFeedback.Visible = true;
check = false;
}
var cc_test_result = Int64.TryParse(tb_creditCardInfo.Text.Trim(), out cciTest);
if (cc_test_result == false)
{
lbl_cciFeedback.Text = $"Invalid credit card details, only 16 digits allowed {tb_creditCardInfo.Text.Trim()}";
lbl_cciFeedback.ForeColor = Color.Red;
lbl_cciFeedback.Visible = true;
check = false;
}
if (pwdStrength != 5)
{
checkPasswordFeedback(password);
check = false;
}
// ENSURE ALL USERS USE EXCELLENT PASSWORDS!
// If no problems, create user
if (check == true)
{
// Generate random "salt"
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] saltByte = new byte[8];
// Fills array of bytes with a cryptographically strong sequence of random values
rng.GetBytes(saltByte);
salt = Convert.ToBase64String(saltByte);
SHA512Managed hashing = new SHA512Managed();
string pwdWithSalt = password + salt;
byte[] plainHash = hashing.ComputeHash(Encoding.UTF8.GetBytes(password));
byte[] hashWithSalt = hashing.ComputeHash(Encoding.UTF8.GetBytes(pwdWithSalt));
finalHash = Convert.ToBase64String(hashWithSalt);
RijndaelManaged cipher = new RijndaelManaged();
cipher.GenerateKey();
Key = cipher.Key;
IV = cipher.IV;
// Encrypt Credit Card info
var encryptedCCInfo = Convert.ToBase64String(encryptData(creditCardInfo));
AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client();
int result = client.CreateUser(firstName, lastName, finalHash, salt, emailAddress, encryptedCCInfo, Convert.ToBase64String(IV), Convert.ToBase64String(Key), dob);
if (result == 1)
{
lbl_alertmsg.Text = "You have successfully been registered";
Response.Redirect("~/Success.aspx");
}
else
{
lbl_alertmsg.Text = "Registration failed";
}
}
}
