Checking credentials via a stored procedure !! [Resolved]

Posted by Akiii under C# on 6/9/2011 | Points: 10 | Views : 4842 | Status : [Member] | Replies : 16
Hi,
I have a problem to do this, I am describing the scenario below:-

(1) I have an asp:login control in my aspx page
<asp:Login ID="Login1" runat="server" onauthenticate="Login1_Authenticate" FailureAction="RedirectToLoginPage">                        
</asp:Login>

(2) The code-behind is
public void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
bool Authenticated = false;
Authenticated = SiteSpecificAuthenticationMethod(Login1.UserName, Login1.Password);
e.Authenticated = Authenticated;
}

public bool SiteSpecificAuthenticationMethod(string username, string pass)
{
string userid = username;
string password = pass;

//string connstr = "Data Source=ARKA-PC;Initial Catalog=rgdb;User Id = sa;password = 12345";
//getting data from web.config file
string connstr = ConfigurationManager.ConnectionStrings["TestConnectionString1"].ConnectionString;

SqlConnection conn = new SqlConnection(connstr);
SqlCommand cmd = new SqlCommand();
conn.Open();

cmd = new SqlCommand("Select name,password WHERE name='@userid' AND password='@password'", conn);
cmd.Parameters.AddWithValue("@userid", Login1.UserName);
cmd.Parameters.AddWithValue("@password", Login1.Password);

if (str1 == "admin" && str2 == "admin")
{
Session["user"] = "admin";
Response.Redirect("Products.aspx");
return true;
}
else
{
//Response.Write("invalid login");
return false;
}
conn.Close();
}

(3) I have a database known as "Stepsample" in which i have one table containing two fields. One is name and password(both username and password is admin).
(4) Now i want to check if one tries to login via invalid credentials via a stored procedure.

Please let me know how to check the username and password stored in the database and validate it......

Any help is appreciated..

Thanks and Regards
Akiii




Responses

Posted by: Ndebata on: 6/9/2011 [Member] Starter | Points: 50

Up
0
Down

Resolved
Hi Akiii,
Try to create a procedure like this

Create PROC IsValidUser(@UserName nvarchar(50),@Password nvarchar(50))
as
Begin
IF EXISTS(select 1 from tblUser
where UserName=@UserName and [Password] = @Password COLLATE SQL_Latin1_General_CP1_CS_AS)
Select Cast( 1 as bit) Found
Else
Select Cast( 0 as bit) Found
End

Then in the code behind
private bool IsValidUser(string username, string password)

{
bool ret = false;
if(string.IsNullOrEmpty(username)|| string.IsNullOrEmpty(password))
throw new ArgumentNullException("Invalid Username or Password");
SqlConnection con = new SqlConnection("<Your Connection string>");
try
{
SqlCommand cmd = new SqlCommand();
cmd.Connection = con;
cmd.CommandType = System.Data.CommandType.StoredProcedure;
cmd.CommandText = "dbo.IsValidUser";
cmd.Parameters.AddWithValue("@UserName", username);
cmd.Parameters.AddWithValue("@Password", password);
con.Open();
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
ret = dr.GetBoolean(0);
}
}
catch (Exception)
{

}
return ret;
}


*Please note that you should not store passwords openly in your database, if any body can hack into it they can steal it.

Thanks,
Debata

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Nithadeepak on: 6/9/2011 [Member] Bronze | Points: 50

Up
0
Down

Resolved
Hi Akiii,

You can encrypt the credentials using the FormsAuthentication class's HashPasswordForStoringInConfigFile method. This method uses the SHA1 or MD5 algorithms to encrypt data, as shown below:
Password = FormsAuthentication.HashPasswordForStoringInConfigFile(Password, "SHA1");


just go through this ....

http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.hashpasswordforstoringinconfigfile.aspx

Nitha Deepak

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/9/2011 [Member] Bronze | Points: 25

Up
0
Down
Hi narayan....

i am looking into your code.....i will get back to you asap....
in the meantime....you said that storing password openly will lead to problems.......surely but what are the ways in which i can encrypt that and how will i retrieve the encrypted value from the database...?

As always thanks for ur constant support!

Regards
Akiii

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Ndebata on: 6/9/2011 [Member] Starter | Points: 25

Up
0
Down
Hello Akiii,
As there are many ways to do this.
One could be like this ( generates a random salt then combines with the password then hashes it).
You can add your own logic here. :)
http://www.blackwasp.co.uk/SaltedPasswordHashing_2.aspx

Thanks,
Debata

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/9/2011 [Member] Bronze | Points: 25

Up
0
Down
I am attaching the project for your perusal..

Akiii
 Download source file

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/10/2011 [Member] Bronze | Points: 25

Up
0
Down
hi nitha....

its a good link....
i made a web-project and executed the code and its working fine....
But can you tell me where the hashpassword is being stored...because i cant find it in web.config file ?

Thanks and Regards
Akiii

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Nithadeepak on: 6/10/2011 [Member] Bronze | Points: 25

Up
0
Down
The HashPasswordForStoringInConfigFile method creates a hashed password value that can be used when storing forms-authentication credentials in the configuration file for an application.
With Forms Authentication we can store usernames and passwords in the login code itself, the web.config file , a database, or an XML file.

<?xml version="1.0"?>

<configuration>
<system.web>
<authentication mode="Forms">
<forms>
<credentials passwordFormat="Clear">
<user name="admin" password="password" /> //here you can use hashed password
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>


For more detailed explanation, refer http://www.codefixer.com/asp-net/tutorials/asp-net-login-with-forms-authentication.asp

Nitha Deepak

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/10/2011 [Member] Bronze | Points: 25

Up
0
Down
Hi nitha...

I tired your link.....but i am not being able to do one thing....that is..
Suppose i login via a valid username and password......then i want to persist the login even if i close the browser...!!
Please tell me how to do this...?

Your link contains that one but i am not being able to do that...!

Thanks for ur support...
Akiii




Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Nithadeepak on: 6/10/2011 [Member] Bronze | Points: 25

Up
0
Down
You can config the session timeout at web.config

< sessionState
mode="InProc"
cookieless="false"
timeout="20"
/>


http://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.71).aspx

Nitha Deepak

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/13/2011 [Member] Bronze | Points: 25

Up
0
Down
Hi nitha,

Thanks for the link.....
i successfully build my project using
< sessionState

mode="InProc"
cookieless="false"
timeout="20"
/>


Just tell me is it a good practice to store password in web.config file by encrypting it ?

Thanks and regards
Akiii


Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/13/2011 [Member] Bronze | Points: 25

Up
0
Down
Hi,

when i am taking the password from the textbox2.....then how will i encrypt it and store it in the database.....?

Regards
Akiii

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Nithadeepak on: 6/13/2011 [Member] Bronze | Points: 25

Up
0
Down

I think it is better to store the credentials in database( in encrypted form) if you have to store so many credentials(ie, if your application allows visitors to register then u have to store unlimited number of credentials).

If there is only one or two users to log in to your application, then store it in web.config.

Its only my thinkings...
Pls correct me if i am wrong.

Nitha Deepak

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/13/2011 [Member] Bronze | Points: 25

Up
0
Down
yes you are right....its better to store in database if there is huge amount of data unless its okay to store that in web.config...

Could you please tell me how to store encrypt password in a database..??

Akiii

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/13/2011 [Member] Bronze | Points: 25

Up
0
Down
Hi nitha....

thanks for the links.....
i got my password encrypted and decrypted.....

Thanks for ur constant support...

Regards
Akiii

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Nithadeepak on: 6/13/2011 [Member] Bronze | Points: 25

Up
0
Down
Akiiii..........,

If you got the correct solution, pls mark it as resolved.

Nitha Deepak

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Login to post response