protected void Page_Load(object sender, EventArgs e) { // Keep redirect if (Request.Url.LocalPath != "/PasswordExpired.aspx") { { if (Session["UserEmail"] != null) { AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client(); var current_user = client.GetOneUser(Session["UserEmail"].ToString()); if (current_user.PasswordAge < DateTime.Now) { if (Request.Url.LocalPath != "/ChangePassword.aspx") { Response.Redirect("PasswordExpired.aspx"); } } else { //Response.Write(current_user.PasswordAge + "Foo"); } } } } }
protected void Page_Load(object sender, EventArgs e) { if (Session["UserEmail"] == null) { Response.Redirect("~/Login.aspx"); } else { AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client(); var current_user = client.GetOneUser(Session["UserEmail"].ToString()); var fn = current_user.FirstName; var ln = current_user.LastName; lbl_userPageTitle.Text = $"Welcome {fn} {ln}"; } }
protected void btn_login_Click(object sender, EventArgs e) { // First Layer, check if attempts more than 3 for current session // Second Layer, check if the account is locked // Get our DB service AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client(); if (ValidateCaptcha_v3()) { // If Login Attempt < 3 if (Convert.ToInt32(Session["LoginAttempts"]) < 3) { string email = HttpUtility.HtmlEncode(tb_email.Text.ToString().Trim()); string pwd = HttpUtility.HtmlEncode(tb_password.Text.ToString().Trim()); SHA512Managed hashing = new SHA512Managed(); string dbHash = client.getDBHash(email); string dbSalt = client.getDBSalt(email); try { if (dbSalt != null && dbSalt.Length > 0 && dbHash != null && dbHash.Length > 0) { string pwdWithSalt = pwd + dbSalt; byte[] hashWithSalt = hashing.ComputeHash(Encoding.UTF8.GetBytes(pwdWithSalt)); string userHash = Convert.ToBase64String(hashWithSalt); if (userHash.Equals(dbHash)) { if (client.GetOneUser(email).AccountLockExpiry < DateTime.Now) { client.RemoveAccountLockOut(email); Session["UserEmail"] = email; // Create a new GUID and save into the session string guidToken = Guid.NewGuid().ToString(); Session["AuthCookie"] = guidToken; // now create a new cookie with this guid value Response.Cookies.Add(new HttpCookie("AuthCookie", guidToken)); Response.Redirect("UserPage.aspx", false); } else { lbl_loginErrMsg.Text = $"Your account has been temporarily locked due to multiple failed attempts,\n It will be available after {client.GetOneUser(email).AccountLockExpiry}"; lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red; } } else { // When password is wrong, but we still provide a generic error message lbl_loginErrMsg.Text = "Invalid Email or Password"; lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red; Session["LoginAttempts"] = Convert.ToInt32(Session["LoginAttempts"]) + 1; } } else { // When email is wrong lbl_loginErrMsg.Text = "Invalid Email or Password"; lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red; Session["LoginAttempts"] = Convert.ToInt32(Session["LoginAttempts"]) + 1; //Response.Write(Session["LoginAttempts"].ToString()); } } catch (Exception ex) { throw new Exception(ex.ToString()); } finally { } } // When there is no more login attempts available else { lbl_loginErrMsg.Text = "You are temporarily locked from accessing the login system due to multiple failed attempts, try again later."; var search_user = client.GetOneUser(tb_email.Text.Trim()); if (search_user != null) { client.SetAccountLockOut(search_user.Email); //Response.Write($"SET LOG OUT FOR {search_user.FirstName} {search_user.LastName} {search_user.AccountLocked} {search_user.AccountLockExpiry}"); } } } else { lbl_captchaScore.Text = "You did not pass the captcha validation"; } }
protected void btn_submitChangePwd_Click(object sender, EventArgs e) { AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client(); var current_user = client.GetOneUser(Session["UserEmail"].ToString()); var new_password = HttpUtility.HtmlEncode(tb_changePwd.Text.Trim()); var pwdStrength = checkPassword(new_password); if (pwdStrength != 5) { checkPasswordFeedback(new_password); } else { salt = current_user.PasswordSalt; SHA512Managed hashing = new SHA512Managed(); string new_pwdWithSalt = new_password + salt; byte[] newhashWithSalt = hashing.ComputeHash(Encoding.UTF8.GetBytes(new_pwdWithSalt)); var new_finalHash = Convert.ToBase64String(newhashWithSalt); // If new password match old password if (new_finalHash == current_user.PasswordHash) { lbl_resultMsg.Text = "Error, input same as your current password"; lbl_resultMsg.ForeColor = Color.Red; return; } if (current_user.PasswordChangeCoolDown > DateTime.Now) { lbl_resultMsg.Text = "Error, you are not allowed to change passwords repeatedly in a short span of time"; lbl_resultMsg.ForeColor = Color.Red; return; } else { // Test whether the salt value are the same /* lbl_resultMsg.Text = $"{new_finalHash} | {current_user.PasswordHash}"; * lbl_resultMsg.ForeColor = Color.Red;*/ if (new_finalHash == current_user.PasswordHash_1 || new_finalHash == current_user.PasswordHash_2) { lbl_resultMsg.Text = "Error, you are not allowed to reuse recent passwords"; lbl_resultMsg.ForeColor = Color.Red; } else { client.ChangePassword(current_user.Email, new_finalHash, current_user.PasswordHash, current_user.PasswordHash_1, current_user.PasswordHash_2); lbl_resultMsg.Text = "Password changed successfully"; lbl_resultMsg.ForeColor = Color.Green; } } } }