public ActionResult Authenticate(LoginModel userLoggingIn) { EventLogHandler Logger = new EventLogHandler(); ErrorController GetErr = new ErrorController(); string inv = GetErr.GetErrorMessage(19); string denied = GetErr.GetErrorMessage(21); string locked = GetErr.GetErrorMessage(30); string attempts = GetErr.GetErrorMessage(31); //var db = new Database1Entities5(); //checks username and password both exists for an account, left for reference //var userDetails = db.CreateUsers.Where(validUser => validUser.Username == userLoggingIn.Username && validUser.Password == userLoggingIn.Password).FirstOrDefault(); //var userDetails = db.CreateUsers.Where(validUser => validUser.Username == userLoggingIn.Username).FirstOrDefault(); //get the account for the typed username //List<CreateUser> validateLogin; List <UserModel> userDetails; using (IDbConnection db = new SqlConnection(SqlAccess.GetConnectionString())) { userDetails = db.Query <UserModel>("Select * from dbo.UserTable Where Username = @Username", new { Username = userLoggingIn.Username }).ToList(); } try { if (userDetails == null) { throw new Exception(inv); //the username does not exist } else if (userDetails.Count == 0) { throw new Exception(inv); } else if (userDetails[0].Active == false) { throw new Exception(denied); } else if (userDetails[0].AccountLocked == true) { throw new Exception(locked); } if (userLoggingIn.Password != userDetails[0].Password) { //usernames exists, but password is wrong if (userDetails[0].LoginAttempts == 1) { //Adjust fails and login attempts for last attempt using (IDbConnection db = new SqlConnection(SqlAccess.GetConnectionString())) { string sql = "Update dbo.UserTable set LoginFails = @fails, LoginAttempts = @attempts Where Username = @name;"; db.Execute(sql, new { fails = userDetails[0].LoginFails + 1, attempts = userDetails[0].LoginAttempts - 1, name = userDetails[0].Username }); } //Lock account for too many invalid login attempts; bool NewLock = true; using (IDbConnection db = new SqlConnection(SqlAccess.GetConnectionString())) { string sql = "Update dbo.UserTable set AccountLocked = @Lock Where Username = @name;"; db.Execute(sql, new { Lock = NewLock, name = userDetails[0].Username }); } Logger.LogAccountLocked(userDetails[0].ID, userDetails[0].Username); throw new Exception(locked); } using (IDbConnection db = new SqlConnection(SqlAccess.GetConnectionString())) { string sql = "Update dbo.UserTable set LoginFails = @fails, LoginAttempts = @attempts Where Username = @name;"; db.Execute(sql, new { fails = userDetails[0].LoginFails + 1, attempts = userDetails[0].LoginAttempts - 1, name = userDetails[0].Username }); } int AmountRemaining = (int)userDetails[0].LoginAttempts - 1; throw new Exception(attempts + " " + AmountRemaining.ToString()); //throw new Exception(attempts + " " + validateLogin[0].Login_Attempts.ToString()); } else if (userDetails[0].SecurityQuestion1 == null) { System.Web.HttpContext.Current.Session["FirstNameofUser"] = userDetails[0].FirstName; System.Web.HttpContext.Current.Session["Username"] = userDetails[0].Username; System.Web.HttpContext.Current.Session["UserRole"] = userDetails[0].Role; using (IDbConnection db = new SqlConnection(SqlAccess.GetConnectionString())) { string sql = "Update dbo.UserTable set LoginAmount = @amount Where Username = @name;"; db.Execute(sql, new { amount = userDetails[0].LoginAmount + 1, name = userDetails[0].Username }); } return(Redirect("~/Account/SecurityQuestions")); } else { //The account is allowed System.Web.HttpContext.Current.Session["FirstNameofUser"] = userDetails[0].FirstName; System.Web.HttpContext.Current.Session["Username"] = userDetails[0].Username; System.Web.HttpContext.Current.Session["UserRole"] = userDetails[0].Role; //UserRole is stored in session ID, helpful link https://code.msdn.microsoft.com/How-to-create-and-access-447ada98 int x = 10; using (IDbConnection db = new SqlConnection(SqlAccess.GetConnectionString())) { string sql = "Update dbo.UserTable set LoginAmount = @amount, LoginAttempts = @attempts, LastLogin = @time Where Username = @name;"; db.Execute(sql, new { amount = userDetails[0].LoginAmount + 1, attempts = x, time = DateTime.Now, name = userDetails[0].Username }); } Logger.LogUserLogin(userDetails[0].Username); if (userDetails[0].Role == "Admin") { return(Redirect("~/Admin/Dashboard")); //takes user to Admin view } else if (userDetails[0].Role == "Accountant") { return(Redirect("~/Accountant/Dashboard")); //takes user to Accountant view } else if (userDetails[0].Role == "Manager") //takes user to Manager view { return(Redirect("~/Manager/ManagerIndex")); } } } //try //{ // if (userDetails == null) // { // throw new Exception(inv); //the username does not exist // } // else if (userLoggingIn.Password != userDetails.Password) // { // //usernames exists, but password is wrong // if (userDetails.Login_Attempts == 1) // { // userDetails.Account_Locked = true; // db.SaveChanges(); // Logger.LogAccountLocked(userDetails.ID, userDetails.Username); // Database1Entities6 db2 = new Database1Entities6(); // var events = db2.EventLogs.ToList(); // throw new Exception(locked); // } // userDetails.Login_Fails++; // userDetails.Login_Attempts--; // db.SaveChanges(); // throw new Exception(attempts + " " + userDetails.Login_Attempts.ToString()); // } // else if (userDetails.Active == false) // throw new Exception(denied); // else if (userDetails.Account_Locked == true) // throw new Exception(locked); // else if (userDetails.Security_Question1 == null) { // //Not answered security questions // System.Web.HttpContext.Current.Session["FirstNameofUser"] = userDetails.FirstName; // System.Web.HttpContext.Current.Session["Username"] = userDetails.Username; // System.Web.HttpContext.Current.Session["UserRole"] = userDetails.Role; // userDetails.Login_Amount++; // db.SaveChanges(); // System.Diagnostics.Debug.WriteLine("Went to security questions."); // return Redirect("~/Account/SecurityQuestions"); // } // else // { // //The account is allowed // System.Web.HttpContext.Current.Session["UserID"] = userDetails.ID; // System.Web.HttpContext.Current.Session["FirstNameofUser"] = userDetails.FirstName; // System.Web.HttpContext.Current.Session["Username"] = userDetails.Username; // System.Web.HttpContext.Current.Session["UserRole"] = userDetails.Role; //UserRole is stored in session ID, helpful link https://code.msdn.microsoft.com/How-to-create-and-access-447ada98 // userDetails.Login_Attempts = 10; // userDetails.Login_Amount++; // db.SaveChanges(); // if (userDetails.Role == "Admin") // { // return Redirect("~/Admin/AdminIndex"); //takes user to admin page // //return View("~/Views/Admin/AdminIndex.cshtml"); //takes user to admin page // } // else if (userDetails.Role == "Manager") // { // return Redirect("~/Manager/ManagerIndex"); // } // else if (userDetails.Role == "Accountant") // { // return Redirect("~/Accountant/AccountantIndex"); //takes user to accountant page, probably should make this one go to a manager page // //return View("~/Views/Home/Index.cshtml"); //takes user to accountant page, probably should make this one go to a manager page // } // } //} catch (Exception exception) { Response.Write("<script language=javascript>alert('" + exception.Message + "'); window.location = 'Login';</script>"); } //return Redirect("~/Admin/AdminIndex"); //just a default page to end up at if neither option above was used, probably should make this an accountant return(new EmptyResult());//just a default page to end up at if neither option above was used, probably should make this an accountant }