protected void Page_Load(object sender, EventArgs e)
{
try {
if (Request.QueryString["username"] != null && Request.QueryString["username"] != string.Empty && Request.QueryString["token"] != null && Request.QueryString["token"] != string.Empty)
{
txtUsername.Value = Request.QueryString["username"];
string strUsername = Request.QueryString["username"];
string strToken = Request.QueryString["token"];
string strHashedTokenDb = "";
bool blnHashesEqual = false;
// Get the hashed token in the database
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString());
conn.Open();
string qry = "SELECT R.Token_Hash FROM Data.ResetTokens AS R JOIN Data.Employee AS E ON R.Person_ID = E.Person_ID WHERE E.Username = @username AND R.Token_Used = 0 AND DATEDIFF(millisecond, R.Expiration_Date, GETDATE()) < 0";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar);
usernameParam.Value = strUsername;
cmd.Parameters.Add(usernameParam);
SqlDataReader sdr = cmd.ExecuteReader();
if (sdr.Read())
{
strHashedTokenDb = sdr["Token_Hash"].ToString().Trim();
// Compare to query string token hash
string strHashedToken = HashSalt.GenerateHashString(strToken);
if (strHashedToken.Equals(strHashedTokenDb))
{
blnHashesEqual = true;
}
}
else
{
// Token is already used or expired
// Or user does not have an tokens
Response.Redirect("reset.aspx?type=invalidToken");
}
cmd.Dispose();
conn.Close();
}
if (blnHashesEqual == false)
{
// Invalid token
Response.Redirect("reset.aspx?type=invalidToken");
}
}
else
{
// No username or token provided
Response.Redirect("reset.aspx?type=invalidToken");
}
} catch (Exception ex) {
Response.Write(ex.Message);
}
}
protected void btnSubmit_Click(object sender, EventArgs e)
{
try {
// Hide new user message if showing
if (strType != "")
{
message.InnerText = "Incorrect username or password entered.";
message.Attributes.Add("class", message.Attributes["class"].ToString().Replace("message", "invalidInput"));
message.Style["display"] = "none";
}
string strUsername = Request.Form["txtUsername"];
string strEnteredPassword = Request.Form["txtPassword"];
conn.Open();
string qry = "SELECT * FROM Data.Employee WHERE Username = @username";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar);
usernameParam.Value = strUsername;
cmd.Parameters.Add(usernameParam);
SqlDataReader sdr = cmd.ExecuteReader();
if (sdr.Read())
{
string strHash = sdr["Password"].ToString();
string strSalt = sdr["Salt"].ToString();
// Check if password hashes and salt match
bool passwordMatches = HashSalt.VerifySaltedHash(strEnteredPassword, strHash.Trim(), strSalt.Trim());
if (passwordMatches)
{
// Sign-in successful
Session["User_ID"] = sdr["Person_ID"];
FormsAuthentication.SetAuthCookie(sdr["Username"].ToString(), false);
cmd.Dispose();
conn.Close();
Response.Redirect("Home.aspx");
}
else
{
// Incorrect password
cmd.Dispose();
conn.Close();
message.Style["display"] = "block";
}
}
else
{
// Username not found
cmd.Dispose();
conn.Close();
message.Style["display"] = "block";
}
}
}
catch (Exception ex) {
Response.Write(ex.Message);
}
}
protected void btnSubmitNewUser_Click(object sender, EventArgs e)
{
try {
string strFirstName = Request.Form["txtFirstName"];
string strMiddleName = Request.Form["txtMiddleName"];
string strLastName = Request.Form["txtLastName"];
int intEmployeeID = Convert.ToInt32(Request.Form["txtEmployeeID"]);
string strUsername = Request.Form["txtUsername"];
bool blnActive;
string strPassword = Request.Form["txtPassword"];
string strEmail = Request.Form["txtEmail"];
string strDepartment = Request.Form["sltDepartment"];
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString());
conn.Open();
// Add hash password
HashSalt hashSalt = HashSalt.GenerateSaltedHash(32, strPassword);
string hashParam = hashSalt.Hash;
// Add salt
string saltParam = hashSalt.Salt;
blnActive = cbEmployeeStatus.Checked;
Shared.InsertNewEmployee(strFirstName, strMiddleName, strLastName, strUsername, hashParam, saltParam, blnActive, intEmployeeID, strEmail, strDepartment);
conn.Close();
Response.Redirect("signIn.aspx?type=newUser");
} catch (Exception ex) {
Response.Write(ex.Message);
}
}
protected void btnResetPassword_Click(object sender, EventArgs e)
{
try {
string strPassword = Request.Form["txtPassword"];
string strUsername = Request.Form["txtUsername"];
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString());
conn.Open();
string qry = "UPDATE Data.Employee SET Password = @hash, Salt = @salt WHERE Username = @username";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar);
usernameParam.Value = strUsername;
cmd.Parameters.Add(usernameParam);
// Add hash password
HashSalt hashSalt = HashSalt.GenerateSaltedHash(32, strPassword);
var hashParam = new SqlParameter("@hash", System.Data.SqlDbType.Char);
hashParam.Value = hashSalt.Hash;
cmd.Parameters.Add(hashParam);
// Add salt
var saltParam = new SqlParameter("@salt", System.Data.SqlDbType.Char);
saltParam.Value = hashSalt.Salt;
cmd.Parameters.Add(saltParam);
SqlDataReader sdr = cmd.ExecuteReader();
conn.Close();
}
// Mark token as used
conn.Open();
qry = "UPDATE Data.ResetTokens SET Data.ResetTokens.Token_Used = 1 FROM Data.ResetTokens AS R JOIN Data.Employee AS E ON R.Person_ID = E.Person_ID WHERE E.Username = @username";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar);
usernameParam.Value = strUsername;
cmd.Parameters.Add(usernameParam);
SqlDataReader sdr = cmd.ExecuteReader();
}
conn.Close();
// Redirect to succesful reset page
Response.Redirect("reset.aspx?type=resetPasswordSuccess");
}
catch (Exception ex) {
Response.Write(ex.Message);
}
}
private void sendResetEmail(int intID, string strUsername, string strEmail)
{
string strToken = generateToken();
string strHashedToken = HashSalt.GenerateHashString(strToken);
// Mark any existing tokens and used
markExistingTokens();
// Store the hashed token in database
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString());
conn.Open();
string qry = "INSERT into Data.ResetTokens(Person_ID, Token_Hash, Expiration_Date, Token_Used) VALUES(@id, @tokenhash, '" + DateTime.Now.AddHours(3) + "', '0')";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var idParam = new SqlParameter("@id", System.Data.SqlDbType.Int);
idParam.Value = intID;
cmd.Parameters.Add(idParam);
var tokenHashParam = new SqlParameter("@tokenhash", System.Data.SqlDbType.Char);
tokenHashParam.Value = strHashedToken;
cmd.Parameters.Add(tokenHashParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
conn.Close();
}
SmtpSection section = (SmtpSection)ConfigurationManager.GetSection("system.net/mailSettings/smtp");
MailMessage mailMessage = new MailMessage(section.Network.UserName, strEmail);
string templatePath = HttpRuntime.AppDomainAppPath + "/emailResetTemplate.html";
StreamReader sr = new StreamReader(templatePath);
string strEmailBody = sr.ReadToEnd();
sr.Close();
// Replace the template placeholder variables
strEmailBody = strEmailBody.Replace("[strUsername]", strUsername);
strEmailBody = strEmailBody.Replace("[actionURL]", ConfigurationManager.AppSettings["mainURL"] + "resetPassword?username="******"&token=" + strToken);
strEmailBody = strEmailBody.Replace("[mainURL]", ConfigurationManager.AppSettings["mainURL"]);
mailMessage.IsBodyHtml = true;
mailMessage.Body = strEmailBody;
mailMessage.Subject = "Reset Your Password";
SmtpClient smtpClient = new SmtpClient();
smtpClient.Send(mailMessage);
}
public static HashSalt GenerateSaltedHash(int size, string strPassword)
{
var saltBytes = new byte[size];
var provider = new RNGCryptoServiceProvider();
provider.GetNonZeroBytes(saltBytes);
string strSalt = Convert.ToBase64String(saltBytes);
string strSaltHash = GenerateHashString(strPassword + strSalt);
HashSalt hashSalt = new HashSalt {
Hash = strSaltHash, Salt = strSalt
};
return(hashSalt);
}
protected void btnResetCredentials_Click(object sender, EventArgs e)
{
try {
string strFirstName = Request.Form["txtFirstName"];
string strLastName = Request.Form["txtLastName"];
string strEmail = Request.Form["txtEmail"];
string strUsername = "";
string qry = "";
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString());
conn.Open();
if (Request.Form["txtUsername"] != "")
{
// Forgot password
strUsername = Request.Form["txtUsername"];
qry = "SELECT * FROM Data.Employee WHERE First_Name = @firstname AND Last_Name = @lastname AND Email = @email AND Username = @username";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var firstNameParam = new SqlParameter("@firstname", System.Data.SqlDbType.VarChar);
firstNameParam.Value = strFirstName;
cmd.Parameters.Add(firstNameParam);
var lastNameParam = new SqlParameter("@lastname", System.Data.SqlDbType.VarChar);
lastNameParam.Value = strLastName;
cmd.Parameters.Add(lastNameParam);
var emailParam = new SqlParameter("@email", System.Data.SqlDbType.VarChar);
emailParam.Value = strEmail;
cmd.Parameters.Add(emailParam);
var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar);
usernameParam.Value = strUsername;
cmd.Parameters.Add(usernameParam);
SqlDataReader sdr = cmd.ExecuteReader();
if (sdr.Read())
{
// Matching user found
int intID = (int)sdr["Person_ID"];
strUsername = sdr["Username"].ToString();
// Send reset password email
sendResetEmail(intID, strUsername, strEmail);
}
cmd.Dispose();
conn.Close();
}
}
else if (Request.Form["txtPassword"] != "")
{
// Forgot username
string strEnteredPassword = Request.Form["txtPassword"];
qry = "SELECT * FROM Data.Employee WHERE First_Name = @firstname AND Last_Name = @lastname AND Email = @email";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var firstNameParam = new SqlParameter("@firstname", System.Data.SqlDbType.VarChar);
firstNameParam.Value = strFirstName;
cmd.Parameters.Add(firstNameParam);
var lastNameParam = new SqlParameter("@lastname", System.Data.SqlDbType.VarChar);
lastNameParam.Value = strLastName;
cmd.Parameters.Add(lastNameParam);
var emailParam = new SqlParameter("@email", System.Data.SqlDbType.VarChar);
emailParam.Value = strEmail;
cmd.Parameters.Add(emailParam);
SqlDataReader sdr = cmd.ExecuteReader();
if (sdr.Read())
{
// Matching user found
strUsername = sdr["Username"].ToString();
string strHash = sdr["Password"].ToString();
string strSalt = sdr["Salt"].ToString();
// Check if password hashes and salt match
bool passwordMatches = HashSalt.VerifySaltedHash(strEnteredPassword, strHash, strSalt);
if (passwordMatches)
{
// Send forgot username email if password is correct
sendForgotUsernameEmail(strUsername, strEmail);
}
}
cmd.Dispose();
conn.Close();
}
}
// Redirect to email sent page
// This displays for invalid credentials as well so malicious users are not able to find valid usernames to attack
Response.Redirect("reset.aspx?type=resetEmailSent");
}
catch (Exception ex) {
Response.Write(ex.Message);
}
}
