protected void btnSubmit_Click(object sender, EventArgs e) { try { // Hide new user message if showing if (strType != "") { message.InnerText = "Incorrect username or password entered."; message.Attributes.Add("class", message.Attributes["class"].ToString().Replace("message", "invalidInput")); message.Style["display"] = "none"; } string strUsername = Request.Form["txtUsername"]; string strEnteredPassword = Request.Form["txtPassword"]; conn.Open(); string qry = "SELECT * FROM Data.Employee WHERE Username = @username"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar); usernameParam.Value = strUsername; cmd.Parameters.Add(usernameParam); SqlDataReader sdr = cmd.ExecuteReader(); if (sdr.Read()) { string strHash = sdr["Password"].ToString(); string strSalt = sdr["Salt"].ToString(); // Check if password hashes and salt match bool passwordMatches = HashSalt.VerifySaltedHash(strEnteredPassword, strHash.Trim(), strSalt.Trim()); if (passwordMatches) { // Sign-in successful Session["User_ID"] = sdr["Person_ID"]; FormsAuthentication.SetAuthCookie(sdr["Username"].ToString(), false); cmd.Dispose(); conn.Close(); Response.Redirect("Home.aspx"); } else { // Incorrect password cmd.Dispose(); conn.Close(); message.Style["display"] = "block"; } } else { // Username not found cmd.Dispose(); conn.Close(); message.Style["display"] = "block"; } } } catch (Exception ex) { Response.Write(ex.Message); } }
protected void btnResetCredentials_Click(object sender, EventArgs e) { try { string strFirstName = Request.Form["txtFirstName"]; string strLastName = Request.Form["txtLastName"]; string strEmail = Request.Form["txtEmail"]; string strUsername = ""; string qry = ""; SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString()); conn.Open(); if (Request.Form["txtUsername"] != "") { // Forgot password strUsername = Request.Form["txtUsername"]; qry = "SELECT * FROM Data.Employee WHERE First_Name = @firstname AND Last_Name = @lastname AND Email = @email AND Username = @username"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var firstNameParam = new SqlParameter("@firstname", System.Data.SqlDbType.VarChar); firstNameParam.Value = strFirstName; cmd.Parameters.Add(firstNameParam); var lastNameParam = new SqlParameter("@lastname", System.Data.SqlDbType.VarChar); lastNameParam.Value = strLastName; cmd.Parameters.Add(lastNameParam); var emailParam = new SqlParameter("@email", System.Data.SqlDbType.VarChar); emailParam.Value = strEmail; cmd.Parameters.Add(emailParam); var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar); usernameParam.Value = strUsername; cmd.Parameters.Add(usernameParam); SqlDataReader sdr = cmd.ExecuteReader(); if (sdr.Read()) { // Matching user found int intID = (int)sdr["Person_ID"]; strUsername = sdr["Username"].ToString(); // Send reset password email sendResetEmail(intID, strUsername, strEmail); } cmd.Dispose(); conn.Close(); } } else if (Request.Form["txtPassword"] != "") { // Forgot username string strEnteredPassword = Request.Form["txtPassword"]; qry = "SELECT * FROM Data.Employee WHERE First_Name = @firstname AND Last_Name = @lastname AND Email = @email"; using (SqlCommand cmd = new SqlCommand(qry, conn)) { var firstNameParam = new SqlParameter("@firstname", System.Data.SqlDbType.VarChar); firstNameParam.Value = strFirstName; cmd.Parameters.Add(firstNameParam); var lastNameParam = new SqlParameter("@lastname", System.Data.SqlDbType.VarChar); lastNameParam.Value = strLastName; cmd.Parameters.Add(lastNameParam); var emailParam = new SqlParameter("@email", System.Data.SqlDbType.VarChar); emailParam.Value = strEmail; cmd.Parameters.Add(emailParam); SqlDataReader sdr = cmd.ExecuteReader(); if (sdr.Read()) { // Matching user found strUsername = sdr["Username"].ToString(); string strHash = sdr["Password"].ToString(); string strSalt = sdr["Salt"].ToString(); // Check if password hashes and salt match bool passwordMatches = HashSalt.VerifySaltedHash(strEnteredPassword, strHash, strSalt); if (passwordMatches) { // Send forgot username email if password is correct sendForgotUsernameEmail(strUsername, strEmail); } } cmd.Dispose(); conn.Close(); } } // Redirect to email sent page // This displays for invalid credentials as well so malicious users are not able to find valid usernames to attack Response.Redirect("reset.aspx?type=resetEmailSent"); } catch (Exception ex) { Response.Write(ex.Message); } }