protected void Page_Load(object sender, EventArgs e)
{
try {
if (Request.QueryString["username"] != null && Request.QueryString["username"] != string.Empty && Request.QueryString["token"] != null && Request.QueryString["token"] != string.Empty)
{
txtUsername.Value = Request.QueryString["username"];
string strUsername = Request.QueryString["username"];
string strToken = Request.QueryString["token"];
string strHashedTokenDb = "";
bool blnHashesEqual = false;
// Get the hashed token in the database
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString());
conn.Open();
string qry = "SELECT R.Token_Hash FROM Data.ResetTokens AS R JOIN Data.Employee AS E ON R.Person_ID = E.Person_ID WHERE E.Username = @username AND R.Token_Used = 0 AND DATEDIFF(millisecond, R.Expiration_Date, GETDATE()) < 0";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var usernameParam = new SqlParameter("@username", System.Data.SqlDbType.VarChar);
usernameParam.Value = strUsername;
cmd.Parameters.Add(usernameParam);
SqlDataReader sdr = cmd.ExecuteReader();
if (sdr.Read())
{
strHashedTokenDb = sdr["Token_Hash"].ToString().Trim();
// Compare to query string token hash
string strHashedToken = HashSalt.GenerateHashString(strToken);
if (strHashedToken.Equals(strHashedTokenDb))
{
blnHashesEqual = true;
}
}
else
{
// Token is already used or expired
// Or user does not have an tokens
Response.Redirect("reset.aspx?type=invalidToken");
}
cmd.Dispose();
conn.Close();
}
if (blnHashesEqual == false)
{
// Invalid token
Response.Redirect("reset.aspx?type=invalidToken");
}
}
else
{
// No username or token provided
Response.Redirect("reset.aspx?type=invalidToken");
}
} catch (Exception ex) {
Response.Write(ex.Message);
}
}
private void sendResetEmail(int intID, string strUsername, string strEmail)
{
string strToken = generateToken();
string strHashedToken = HashSalt.GenerateHashString(strToken);
// Mark any existing tokens and used
markExistingTokens();
// Store the hashed token in database
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ToString());
conn.Open();
string qry = "INSERT into Data.ResetTokens(Person_ID, Token_Hash, Expiration_Date, Token_Used) VALUES(@id, @tokenhash, '" + DateTime.Now.AddHours(3) + "', '0')";
using (SqlCommand cmd = new SqlCommand(qry, conn)) {
var idParam = new SqlParameter("@id", System.Data.SqlDbType.Int);
idParam.Value = intID;
cmd.Parameters.Add(idParam);
var tokenHashParam = new SqlParameter("@tokenhash", System.Data.SqlDbType.Char);
tokenHashParam.Value = strHashedToken;
cmd.Parameters.Add(tokenHashParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
conn.Close();
}
SmtpSection section = (SmtpSection)ConfigurationManager.GetSection("system.net/mailSettings/smtp");
MailMessage mailMessage = new MailMessage(section.Network.UserName, strEmail);
string templatePath = HttpRuntime.AppDomainAppPath + "/emailResetTemplate.html";
StreamReader sr = new StreamReader(templatePath);
string strEmailBody = sr.ReadToEnd();
sr.Close();
// Replace the template placeholder variables
strEmailBody = strEmailBody.Replace("[strUsername]", strUsername);
strEmailBody = strEmailBody.Replace("[actionURL]", ConfigurationManager.AppSettings["mainURL"] + "resetPassword?username="******"&token=" + strToken);
strEmailBody = strEmailBody.Replace("[mainURL]", ConfigurationManager.AppSettings["mainURL"]);
mailMessage.IsBodyHtml = true;
mailMessage.Body = strEmailBody;
mailMessage.Subject = "Reset Your Password";
SmtpClient smtpClient = new SmtpClient();
smtpClient.Send(mailMessage);
}
