コード例 #1
0
        protected void btn_login_Click(object sender, EventArgs e)
        {
            // First Layer, check if attempts more than 3 for current session
            // Second Layer, check if the account is locked

            // Get our DB service
            AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client();

            if (ValidateCaptcha_v3())
            {
                // If Login Attempt < 3
                if (Convert.ToInt32(Session["LoginAttempts"]) < 3)
                {
                    string        email   = HttpUtility.HtmlEncode(tb_email.Text.ToString().Trim());
                    string        pwd     = HttpUtility.HtmlEncode(tb_password.Text.ToString().Trim());
                    SHA512Managed hashing = new SHA512Managed();

                    string dbHash = client.getDBHash(email);
                    string dbSalt = client.getDBSalt(email);

                    try
                    {
                        if (dbSalt != null && dbSalt.Length > 0 && dbHash != null && dbHash.Length > 0)
                        {
                            string pwdWithSalt  = pwd + dbSalt;
                            byte[] hashWithSalt = hashing.ComputeHash(Encoding.UTF8.GetBytes(pwdWithSalt));
                            string userHash     = Convert.ToBase64String(hashWithSalt);
                            if (userHash.Equals(dbHash))
                            {
                                if (client.GetOneUser(email).AccountLockExpiry < DateTime.Now)
                                {
                                    client.RemoveAccountLockOut(email);

                                    Session["UserEmail"] = email;


                                    // Create a new GUID and save into the session
                                    string guidToken = Guid.NewGuid().ToString();
                                    Session["AuthCookie"] = guidToken;

                                    // now create a new cookie with this guid value
                                    Response.Cookies.Add(new HttpCookie("AuthCookie", guidToken));

                                    Response.Redirect("UserPage.aspx", false);
                                }

                                else
                                {
                                    lbl_loginErrMsg.Text      = $"Your account has been temporarily locked due to multiple failed attempts,\n It will be available after {client.GetOneUser(email).AccountLockExpiry}";
                                    lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red;
                                }
                            }



                            else
                            {
                                // When password is wrong, but we still provide a generic error message
                                lbl_loginErrMsg.Text      = "Invalid Email or Password";
                                lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red;
                                Session["LoginAttempts"]  = Convert.ToInt32(Session["LoginAttempts"]) + 1;
                            }
                        }

                        else
                        {
                            // When email is wrong
                            lbl_loginErrMsg.Text      = "Invalid Email or Password";
                            lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red;
                            Session["LoginAttempts"]  = Convert.ToInt32(Session["LoginAttempts"]) + 1;
                            //Response.Write(Session["LoginAttempts"].ToString());
                        }
                    }
                    catch (Exception ex)
                    {
                        throw new Exception(ex.ToString());
                    }
                    finally { }
                }


                // When there is no more login attempts available
                else
                {
                    lbl_loginErrMsg.Text = "You are temporarily locked from accessing the login system due to multiple failed attempts, try again later.";

                    var search_user = client.GetOneUser(tb_email.Text.Trim());

                    if (search_user != null)
                    {
                        client.SetAccountLockOut(search_user.Email);
                        //Response.Write($"SET LOG OUT FOR {search_user.FirstName} {search_user.LastName} {search_user.AccountLocked} {search_user.AccountLockExpiry}");
                    }
                }
            }

            else
            {
                lbl_captchaScore.Text = "You did not pass the captcha validation";
            }
        }