public static bool verifyUser(string username, string password, string loginType)
{
DataTable result = null;
try
{
using (SqlConnection conPrintDB = new SqlConnection(ConfigurationManager.ConnectionStrings["printDBServer"].ConnectionString))
{
string strSelect = null;
if (loginType.Equals(ROLE_STAFF))
{
strSelect = "select StaffPassword As Password, StaffSalt As Salt from CompanyStaff where StaffEmail = @uname";
}
else
{
strSelect = "select CustomerPassword As Password, CustomerSalt As Salt from Customer where CustomerEmail = @uname";
}
using (SqlCommand cmdSelect = new SqlCommand(strSelect, conPrintDB))
{
cmdSelect.Parameters.AddWithValue("@uname", username);
using (SqlDataAdapter da = new SqlDataAdapter(cmdSelect))
{
result = new DataTable();
da.Fill(result);
}
//retrieve password info
byte[] storedPassword = (byte[])result.Rows[0]["Password"];
byte[] storedSalt = (byte[])result.Rows[0]["Salt"];
//hash password from textbox
byte[] hashedPassword = ClassHashing.generateSaltedHash(password, storedSalt);
//compare the password and return the result
return(ClassHashing.CompareByteArrays(storedPassword, hashedPassword));
}
}
}
catch (Exception ex)
{
throw new Exception(ex.ToString());
}
}
public static string activateStaff(string verificationCode)
{
DataTable result = null;
byte[] emptyByte = { 0, 0 };
try
{
using (SqlConnection conPrintDB = new SqlConnection(ConfigurationManager.ConnectionStrings["printDBServer"].ConnectionString))
{
string strSelect = null;
strSelect = "select StaffID, StaffNRIC, StaffSalt from CompanyStaff where StaffPassword = @password";
using (SqlCommand cmdSelect = new SqlCommand(strSelect, conPrintDB))
{
cmdSelect.Parameters.AddWithValue("@password", emptyByte);
using (SqlDataAdapter da = new SqlDataAdapter(cmdSelect))
{
result = new DataTable();
da.Fill(result);
}
//convert verification code to byte array
byte[] codeByte = Convert.FromBase64String(verificationCode);
for (int i = 0; i < result.Rows.Count; i++)
{
string staffID = (string)result.Rows[i]["StaffID"];
string staffNRIC = (string)result.Rows[i]["StaffNRIC"];
byte[] staffSalt = (byte[])result.Rows[i]["StaffSalt"];
if (ClassHashing.CompareByteArrays(ClassHashing.generateSaltedHash(staffID + staffNRIC, staffSalt), codeByte))
{
return(staffID);
}
}
return(null);
}
}
}
catch (Exception ex)
{
throw new Exception(ex.ToString());
}
}
public static string getVerificationCode(string text, byte[] salt)
{ //verification code is generated by combining staff id and NRIC and random salt;
return(Convert.ToBase64String(ClassHashing.generateSaltedHash(text, salt)));
}
protected void btnSubmit_Click(object sender, EventArgs e)
{
SqlConnection conPrintDB;
string connStr = ConfigurationManager.ConnectionStrings["printDBServer"].ConnectionString;
conPrintDB = new SqlConnection(connStr);
conPrintDB.Open();
try
{
string strInsert;
SqlCommand cmdInsert;
strInsert = "Insert Into CompanyStaff (StaffName, StaffEmail, StaffPassword, StaffNRIC, StaffDOB, StaffPhoneNo, StaffSalt, StaffRole, CompanyID) Values (@staffName, @staffEmail,@staffPassword, @staffNRIC, @staffDOB, @staffPhoneNo, @staffSalt, @staffRole, @companayID); SELECT MAX(StaffID) from CompanyStaff where StaffName=@staffName and StaffPhoneNo=@staffPhoneNo";
byte[] generatedSalt = ClassHashing.generateSalt();
byte[] hashPassword = { 0, 0 };//empty password when checkbox for password setting is not checked
if (chkPassSet.Checked)
{
hashPassword = ClassHashing.generateSaltedHash(txtPassword.Text, generatedSalt);
}
cmdInsert = new SqlCommand(strInsert, conPrintDB);
cmdInsert.Parameters.AddWithValue("@staffName", txtName.Text);
cmdInsert.Parameters.AddWithValue("@staffEmail", txtEmail.Text);
cmdInsert.Parameters.AddWithValue("@staffPassword", hashPassword);
cmdInsert.Parameters.AddWithValue("@staffNRIC", txtNRIC.Text);
cmdInsert.Parameters.AddWithValue("@staffDOB", cldBOD.SelectedDate);
cmdInsert.Parameters.AddWithValue("@staffPhoneNo", txtPhoneNo.Text);
cmdInsert.Parameters.AddWithValue("@staffSalt", generatedSalt);
cmdInsert.Parameters.AddWithValue("@staffRole", UserVerification.ROLE_STAFF);
cmdInsert.Parameters.AddWithValue("@companayID", Request.Cookies["CompanyID"].Value);
var staffID = cmdInsert.ExecuteScalar();
if (!chkPassSet.Checked)
{
string strSelect = "SELECT CompanyName FROM Company WHERE CompanyID = @companyID";
SqlCommand cmdSelect = new SqlCommand(strSelect, conPrintDB);
cmdSelect.Parameters.AddWithValue("@companyID", Request.Cookies["CompanyID"].Value);
var companyName = cmdSelect.ExecuteScalar();
string verificationCode = UserVerification.getVerificationCode(staffID + txtNRIC.Text, generatedSalt);
//then it will generate a url to activate the account and send it to the staff
string verificationLink = DOMAIN_NAME + Page.ResolveUrl("~/StaffAccountActivation.aspx?VC=" + HttpUtility.UrlEncode(verificationCode));
string emailContent = EmailClass.populateActivationEmail((string)companyName, verificationLink);// content of the email
EmailClass emailClass = new EmailClass(txtEmail.Text, "Staff Account Activation", emailContent, true);
if (EmailClass.isCredentialed())
{
EmailCredential credential = (EmailCredential)Session["EmailCredential"];
emailClass.sendEmail(credential);
}
else
{
Session["tempEmail"] = emailClass;
Response.Redirect(ResolveUrl("~/Staff/VerifyEmail.aspx?ReturnURL=" + Request.Url.AbsoluteUri));
}
}
lblError.Text = "Successfully added";
}
catch (Exception ex)
{
lblError.Text = "An error occured when register staff :" + ex.ToString();
}
finally
{
conPrintDB.Close();
}
}