protected void Button1_Click(object sender, EventArgs e) // on login
{
DBServiceReference.Service1Client client = new DBServiceReference.Service1Client();
var user = client.GetAccountByEmail(email_tb.Text.Trim()); // gets staff account
var pass = true;
if (user == null) // if staff doesnt exist
{
error_lb.Text = "Invalid credentials"; // generic error message to prevent brute forcing
pass = false;
}
else
{
var suspended = client.CheckSuspended(user.Email); // retuns boolean, checks if staff account is suspended
if (suspended)
{
int span = 30 - Convert.ToInt16(DateTime.Now.Subtract(Convert.ToDateTime(user.Locked_Since)).TotalMinutes);
error_lb.Text = "Your account has been locked. Please wait " + span + " minutes before trying again."; // error message updates staff on the duration their account is locked for
pass = false;
}
else // if not suspended, check password
{
string salt = user.Password_Salt;
// initializing hashing thingy
SHA512Managed hashing = new SHA512Managed();
// salting plaintext and hashing after
string saltedpw = password_tb.Text.Trim() + salt;
string hashedpw = Convert.ToBase64String(hashing.ComputeHash(Encoding.UTF8.GetBytes(saltedpw)));
if (hashedpw == user.Password) // if password is correct
{
client.CheckAttempts(user.Email, true);
pass = true;
}
else // if password is incorrect, reduce attempts left by 1
{
client.CheckAttempts(user.Email, false);
error_lb.Text = "Invalid credentials"; // generic error message to prevent brute forcing
pass = false;
}
}
}
if (!ValidateCaptcha()) // in the even that the captcha detects that the user is a bot
{
error_lb.Text = error_lb.Text + "Something went wrong, please refresh and try again.";
pass = false;
}
if (pass)
{
// log in
Session["LoggedIn"] = user.Email;
Session["Role"] = user.Type; // sets user role as a session variable for future checks
string guid = Guid.NewGuid().ToString();
Session["AuthToken"] = guid;
Response.Cookies.Add(new HttpCookie("AuthToken", guid));
client.UpdateLastLogin(user.Email);
Response.Redirect("Staff_Home.aspx");
}
}
