protected void Page_Load(object sender, EventArgs e) { // Keep redirect if (Request.Url.LocalPath != "/PasswordExpired.aspx") { { if (Session["UserEmail"] != null) { AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client(); var current_user = client.GetOneUser(Session["UserEmail"].ToString()); if (current_user.PasswordAge < DateTime.Now) { if (Request.Url.LocalPath != "/ChangePassword.aspx") { Response.Redirect("PasswordExpired.aspx"); } } else { //Response.Write(current_user.PasswordAge + "Foo"); } } } } }
protected void Page_Load(object sender, EventArgs e) { if (Session["UserEmail"] == null) { Response.Redirect("~/Login.aspx"); } else { AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client(); var current_user = client.GetOneUser(Session["UserEmail"].ToString()); var fn = current_user.FirstName; var ln = current_user.LastName; lbl_userPageTitle.Text = $"Welcome {fn} {ln}"; } }
protected void btn_login_Click(object sender, EventArgs e) { // First Layer, check if attempts more than 3 for current session // Second Layer, check if the account is locked // Get our DB service AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client(); if (ValidateCaptcha_v3()) { // If Login Attempt < 3 if (Convert.ToInt32(Session["LoginAttempts"]) < 3) { string email = HttpUtility.HtmlEncode(tb_email.Text.ToString().Trim()); string pwd = HttpUtility.HtmlEncode(tb_password.Text.ToString().Trim()); SHA512Managed hashing = new SHA512Managed(); string dbHash = client.getDBHash(email); string dbSalt = client.getDBSalt(email); try { if (dbSalt != null && dbSalt.Length > 0 && dbHash != null && dbHash.Length > 0) { string pwdWithSalt = pwd + dbSalt; byte[] hashWithSalt = hashing.ComputeHash(Encoding.UTF8.GetBytes(pwdWithSalt)); string userHash = Convert.ToBase64String(hashWithSalt); if (userHash.Equals(dbHash)) { if (client.GetOneUser(email).AccountLockExpiry < DateTime.Now) { client.RemoveAccountLockOut(email); Session["UserEmail"] = email; // Create a new GUID and save into the session string guidToken = Guid.NewGuid().ToString(); Session["AuthCookie"] = guidToken; // now create a new cookie with this guid value Response.Cookies.Add(new HttpCookie("AuthCookie", guidToken)); Response.Redirect("UserPage.aspx", false); } else { lbl_loginErrMsg.Text = $"Your account has been temporarily locked due to multiple failed attempts,\n It will be available after {client.GetOneUser(email).AccountLockExpiry}"; lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red; } } else { // When password is wrong, but we still provide a generic error message lbl_loginErrMsg.Text = "Invalid Email or Password"; lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red; Session["LoginAttempts"] = Convert.ToInt32(Session["LoginAttempts"]) + 1; } } else { // When email is wrong lbl_loginErrMsg.Text = "Invalid Email or Password"; lbl_loginErrMsg.ForeColor = System.Drawing.Color.Red; Session["LoginAttempts"] = Convert.ToInt32(Session["LoginAttempts"]) + 1; //Response.Write(Session["LoginAttempts"].ToString()); } } catch (Exception ex) { throw new Exception(ex.ToString()); } finally { } } // When there is no more login attempts available else { lbl_loginErrMsg.Text = "You are temporarily locked from accessing the login system due to multiple failed attempts, try again later."; var search_user = client.GetOneUser(tb_email.Text.Trim()); if (search_user != null) { client.SetAccountLockOut(search_user.Email); //Response.Write($"SET LOG OUT FOR {search_user.FirstName} {search_user.LastName} {search_user.AccountLocked} {search_user.AccountLockExpiry}"); } } } else { lbl_captchaScore.Text = "You did not pass the captcha validation"; } }
protected void btn_submitChangePwd_Click(object sender, EventArgs e) { AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client(); var current_user = client.GetOneUser(Session["UserEmail"].ToString()); var new_password = HttpUtility.HtmlEncode(tb_changePwd.Text.Trim()); var pwdStrength = checkPassword(new_password); if (pwdStrength != 5) { checkPasswordFeedback(new_password); } else { salt = current_user.PasswordSalt; SHA512Managed hashing = new SHA512Managed(); string new_pwdWithSalt = new_password + salt; byte[] newhashWithSalt = hashing.ComputeHash(Encoding.UTF8.GetBytes(new_pwdWithSalt)); var new_finalHash = Convert.ToBase64String(newhashWithSalt); // If new password match old password if (new_finalHash == current_user.PasswordHash) { lbl_resultMsg.Text = "Error, input same as your current password"; lbl_resultMsg.ForeColor = Color.Red; return; } if (current_user.PasswordChangeCoolDown > DateTime.Now) { lbl_resultMsg.Text = "Error, you are not allowed to change passwords repeatedly in a short span of time"; lbl_resultMsg.ForeColor = Color.Red; return; } else { // Test whether the salt value are the same /* lbl_resultMsg.Text = $"{new_finalHash} | {current_user.PasswordHash}"; * lbl_resultMsg.ForeColor = Color.Red;*/ if (new_finalHash == current_user.PasswordHash_1 || new_finalHash == current_user.PasswordHash_2) { lbl_resultMsg.Text = "Error, you are not allowed to reuse recent passwords"; lbl_resultMsg.ForeColor = Color.Red; } else { client.ChangePassword(current_user.Email, new_finalHash, current_user.PasswordHash, current_user.PasswordHash_1, current_user.PasswordHash_2); lbl_resultMsg.Text = "Password changed successfully"; lbl_resultMsg.ForeColor = Color.Green; } } } }
protected void btn_RegisterClick(object sender, EventArgs e) { lbl_fnFeedback.Visible = false; lbl_lnFeedback.Visible = false; lbl_pwdchecker.Visible = false; lbl_emailFeedback.Visible = false; lbl_dobFeedback.Visible = false; lbl_cciFeedback.Visible = false; bool parse_result; long cciTest; DateTime dob; // Prevent XSS by sanitizing the user input with htmlencode var firstName = HttpUtility.HtmlEncode(tb_firstName.Text.Trim()); var lastName = HttpUtility.HtmlEncode(tb_lastName.Text.Trim()); var password = HttpUtility.HtmlEncode(tb_password.Text.Trim()); var emailAddress = HttpUtility.HtmlEncode(tb_emailAddress.Text.Trim()); var creditCardInfo = HttpUtility.HtmlEncode(tb_creditCardInfo.Text.Trim()); var pwdStrength = checkPassword(password); // Validation var check = true; if (Regex.IsMatch(firstName, "[^a-zA-z]")) { lbl_fnFeedback.Text = "Only uppercase and lowercase letters are allowed for name"; lbl_fnFeedback.ForeColor = Color.Red; lbl_fnFeedback.Visible = true; check = false; } if (Regex.IsMatch(lastName, "[^a-zA-z]")) { lbl_lnFeedback.Text = "Only uppercase and lowercase letters are allowed for name"; lbl_lnFeedback.ForeColor = Color.Red; lbl_lnFeedback.Visible = true; check = false; } if (firstName.Length == 0) { lbl_fnFeedback.Text = "Input required"; lbl_fnFeedback.ForeColor = Color.Red; lbl_fnFeedback.Visible = true; check = false; } if (lastName.Length == 0) { lbl_lnFeedback.Text = "Input required"; lbl_lnFeedback.ForeColor = Color.Red; lbl_lnFeedback.Visible = true; check = false; } if (emailAddress.Length == 0) { lbl_emailFeedback.Text = "Input required"; lbl_emailFeedback.ForeColor = Color.Red; lbl_emailFeedback.Visible = true; check = false; } parse_result = DateTime.TryParse(tb_dob.Text, out dob); if (!parse_result) { lbl_dobFeedback.Text = "Birth Date is invalid!"; lbl_dobFeedback.ForeColor = Color.Red; lbl_dobFeedback.Visible = true; check = false; } if (tb_creditCardInfo.Text.Trim().Length != 16) { lbl_cciFeedback.Text = $"Invalid credit card details, 16 digits required {tb_creditCardInfo.Text.Trim().Length}"; lbl_cciFeedback.ForeColor = Color.Red; lbl_cciFeedback.Visible = true; check = false; } var cc_test_result = Int64.TryParse(tb_creditCardInfo.Text.Trim(), out cciTest); if (cc_test_result == false) { lbl_cciFeedback.Text = $"Invalid credit card details, only 16 digits allowed {tb_creditCardInfo.Text.Trim()}"; lbl_cciFeedback.ForeColor = Color.Red; lbl_cciFeedback.Visible = true; check = false; } if (pwdStrength != 5) { checkPasswordFeedback(password); check = false; } // ENSURE ALL USERS USE EXCELLENT PASSWORDS! // If no problems, create user if (check == true) { // Generate random "salt" RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); byte[] saltByte = new byte[8]; // Fills array of bytes with a cryptographically strong sequence of random values rng.GetBytes(saltByte); salt = Convert.ToBase64String(saltByte); SHA512Managed hashing = new SHA512Managed(); string pwdWithSalt = password + salt; byte[] plainHash = hashing.ComputeHash(Encoding.UTF8.GetBytes(password)); byte[] hashWithSalt = hashing.ComputeHash(Encoding.UTF8.GetBytes(pwdWithSalt)); finalHash = Convert.ToBase64String(hashWithSalt); RijndaelManaged cipher = new RijndaelManaged(); cipher.GenerateKey(); Key = cipher.Key; IV = cipher.IV; // Encrypt Credit Card info var encryptedCCInfo = Convert.ToBase64String(encryptData(creditCardInfo)); AS_Service_Reference.Service1Client client = new AS_Service_Reference.Service1Client(); int result = client.CreateUser(firstName, lastName, finalHash, salt, emailAddress, encryptedCCInfo, Convert.ToBase64String(IV), Convert.ToBase64String(Key), dob); if (result == 1) { lbl_alertmsg.Text = "You have successfully been registered"; Response.Redirect("~/Success.aspx"); } else { lbl_alertmsg.Text = "Registration failed"; } } }