Exemplo n.º 1
0
        protected void btnSubmit_Click(object sender, EventArgs e)
        {
            try {
                // Hide new user message if showing
                if (strType != "")
                {
                    message.InnerText = "Incorrect username or password entered.";
                    message.Attributes.Add("class", message.Attributes["class"].ToString().Replace("message", "invalidInput"));
                    message.Style["display"] = "none";
                }

                string strUsername        = Request.Form["txtUsername"];
                string strEnteredPassword = Request.Form["txtPassword"];
                conn.Open();
                string qry = "SELECT * FROM Data.Employee WHERE Username = @username";
                using (SqlCommand cmd = new SqlCommand(qry, conn)) {
                    var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar);
                    usernameParam.Value = strUsername;
                    cmd.Parameters.Add(usernameParam);

                    SqlDataReader sdr = cmd.ExecuteReader();

                    if (sdr.Read())
                    {
                        string strHash = sdr["Password"].ToString();
                        string strSalt = sdr["Salt"].ToString();

                        // Check if password hashes and salt match
                        bool passwordMatches = HashSalt.VerifySaltedHash(strEnteredPassword, strHash.Trim(), strSalt.Trim());

                        if (passwordMatches)
                        {
                            // Sign-in successful
                            Session["User_ID"] = sdr["Person_ID"];
                            FormsAuthentication.SetAuthCookie(sdr["Username"].ToString(), false);
                            cmd.Dispose();
                            conn.Close();
                            Response.Redirect("Home.aspx");
                        }
                        else
                        {
                            // Incorrect password
                            cmd.Dispose();
                            conn.Close();
                            message.Style["display"] = "block";
                        }
                    }
                    else
                    {
                        // Username not found
                        cmd.Dispose();
                        conn.Close();
                        message.Style["display"] = "block";
                    }
                }
            }
            catch (Exception ex) {
                Response.Write(ex.Message);
            }
        }
Exemplo n.º 2
0
        protected void btnResetCredentials_Click(object sender, EventArgs e)
        {
            try {
                string strFirstName = Request.Form["txtFirstName"];
                string strLastName  = Request.Form["txtLastName"];
                string strEmail     = Request.Form["txtEmail"];
                string strUsername  = "";
                string qry          = "";

                SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString());
                conn.Open();
                if (Request.Form["txtUsername"] != "")
                {
                    // Forgot password
                    strUsername = Request.Form["txtUsername"];
                    qry         = "SELECT * FROM Data.Employee WHERE First_Name = @firstname AND Last_Name = @lastname AND Email = @email AND Username = @username";
                    using (SqlCommand cmd = new SqlCommand(qry, conn)) {
                        var firstNameParam = new SqlParameter("@firstname", System.Data.SqlDbType.VarChar);
                        firstNameParam.Value = strFirstName;
                        cmd.Parameters.Add(firstNameParam);

                        var lastNameParam = new SqlParameter("@lastname", System.Data.SqlDbType.VarChar);
                        lastNameParam.Value = strLastName;
                        cmd.Parameters.Add(lastNameParam);

                        var emailParam = new SqlParameter("@email", System.Data.SqlDbType.VarChar);
                        emailParam.Value = strEmail;
                        cmd.Parameters.Add(emailParam);

                        var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar);
                        usernameParam.Value = strUsername;
                        cmd.Parameters.Add(usernameParam);

                        SqlDataReader sdr = cmd.ExecuteReader();
                        if (sdr.Read())
                        {
                            // Matching user found
                            int intID = (int)sdr["Person_ID"];
                            strUsername = sdr["Username"].ToString();

                            // Send reset password email
                            sendResetEmail(intID, strUsername, strEmail);
                        }

                        cmd.Dispose();
                        conn.Close();
                    }
                }
                else if (Request.Form["txtPassword"] != "")
                {
                    // Forgot username
                    string strEnteredPassword = Request.Form["txtPassword"];
                    qry = "SELECT * FROM Data.Employee WHERE First_Name = @firstname AND Last_Name = @lastname AND Email = @email";
                    using (SqlCommand cmd = new SqlCommand(qry, conn)) {
                        var firstNameParam = new SqlParameter("@firstname", System.Data.SqlDbType.VarChar);
                        firstNameParam.Value = strFirstName;
                        cmd.Parameters.Add(firstNameParam);

                        var lastNameParam = new SqlParameter("@lastname", System.Data.SqlDbType.VarChar);
                        lastNameParam.Value = strLastName;
                        cmd.Parameters.Add(lastNameParam);

                        var emailParam = new SqlParameter("@email", System.Data.SqlDbType.VarChar);
                        emailParam.Value = strEmail;
                        cmd.Parameters.Add(emailParam);

                        SqlDataReader sdr = cmd.ExecuteReader();
                        if (sdr.Read())
                        {
                            // Matching user found
                            strUsername = sdr["Username"].ToString();
                            string strHash = sdr["Password"].ToString();
                            string strSalt = sdr["Salt"].ToString();

                            // Check if password hashes and salt match
                            bool passwordMatches = HashSalt.VerifySaltedHash(strEnteredPassword, strHash, strSalt);

                            if (passwordMatches)
                            {
                                // Send forgot username email if password is correct
                                sendForgotUsernameEmail(strUsername, strEmail);
                            }
                        }

                        cmd.Dispose();
                        conn.Close();
                    }
                }

                // Redirect to email sent page
                // This displays for invalid credentials as well so malicious users are not able to find valid usernames to attack
                Response.Redirect("reset.aspx?type=resetEmailSent");
            }
            catch (Exception ex) {
                Response.Write(ex.Message);
            }
        }