Checking credentials via a stored procedure !! [Resolved]

Posted by Akiii under C# on 6/9/2011 | Points: 10 | Views : 6680 | Status : [Member] | Replies : 16

Write New Post |

Search Forums | Answered

Resolved Posts |

Un Answered Posts |

Forums Home

Hi,
I have a problem to do this, I am describing the scenario below:-

(1) I have an asp:login control in my aspx page

<asp:Login ID="Login1" runat="server" onauthenticate="Login1_Authenticate" FailureAction="RedirectToLoginPage">                        
</asp:Login>

(2) The code-behind is

public void Login1_Authenticate(object sender, AuthenticateEventArgs e)
    {
        bool Authenticated = false;
        Authenticated = SiteSpecificAuthenticationMethod(Login1.UserName, Login1.Password);
        e.Authenticated = Authenticated;
    }

    public bool SiteSpecificAuthenticationMethod(string username, string pass)
    {
        string userid = username;
        string password = pass;

        //string connstr = "Data Source=ARKA-PC;Initial Catalog=rgdb;User Id = sa;password = 12345";
        //getting data from web.config file
        string connstr = ConfigurationManager.ConnectionStrings["TestConnectionString1"].ConnectionString;

        SqlConnection conn = new SqlConnection(connstr);
        SqlCommand cmd = new SqlCommand();
        conn.Open();

        cmd = new SqlCommand("Select name,password WHERE name='@userid' AND password='@password'", conn);
        cmd.Parameters.AddWithValue("@userid", Login1.UserName);
        cmd.Parameters.AddWithValue("@password", Login1.Password);
        
        if (str1 == "admin" && str2 == "admin")
        {
            Session["user"] = "admin";
            Response.Redirect("Products.aspx");
            return true;
        }
        else
        {
            //Response.Write("invalid login");
            return false;
        }
        conn.Close();
    }

(3) I have a database known as "Stepsample" in which i have one table containing two fields. One is name and password(both username and password is admin).
(4) Now i want to check if one tries to login via invalid credentials via a stored procedure.

Please let me know how to check the username and password stored in the database and validate it......

Any help is appreciated..

Thanks and Regards
Akiii

[Resolved]

Reply | Reply with Attachment

Alert Moderator

Responses

Posted by: Ndebata on: 6/9/2011 [Member] Starter | Points: 50

0	Hi Akiii, Try to create a procedure like this Create PROC IsValidUser(@UserName nvarchar(50),@Password nvarchar(50)) as Begin IF EXISTS(select 1 from tblUser where UserName=@UserName and [Password] = @Password COLLATE SQL_Latin1_General_CP1_CS_AS) Select Cast( 1 as bit) Found Else Select Cast( 0 as bit) Found End Then in the code behind private bool IsValidUser(string username, string password) { bool ret = false; if(string.IsNullOrEmpty(username)\|\| string.IsNullOrEmpty(password)) throw new ArgumentNullException("Invalid Username or Password"); SqlConnection con = new SqlConnection("<Your Connection string>"); try { SqlCommand cmd = new SqlCommand(); cmd.Connection = con; cmd.CommandType = System.Data.CommandType.StoredProcedure; cmd.CommandText = "dbo.IsValidUser"; cmd.Parameters.AddWithValue("@UserName", username); cmd.Parameters.AddWithValue("@Password", password); con.Open(); SqlDataReader dr = cmd.ExecuteReader(); if (dr.Read()) { ret = dr.GetBoolean(0); } } catch (Exception) { } return ret; } Please note that you should not store passwords openly in your database, if any body can hack into it they can steal it. Thanks, Debata Akiii, if this helps please login to Mark As Answer*. \| Alert Moderator

Hi Akiii,
Try to create a procedure like this


Create PROC IsValidUser(@UserName nvarchar(50),@Password nvarchar(50))

as

Begin

IF EXISTS(select 1 from tblUser 

where UserName=@UserName and [Password] = @Password COLLATE SQL_Latin1_General_CP1_CS_AS)

Select Cast( 1 as bit) Found

Else

Select Cast( 0 as bit) Found	

End

Then in the code behind

private bool IsValidUser(string username, string password)

        {

            bool ret = false;

            if(string.IsNullOrEmpty(username)|| string.IsNullOrEmpty(password))

                throw new ArgumentNullException("Invalid Username or Password");

            SqlConnection con = new SqlConnection("<Your Connection string>");

            try

            {

                SqlCommand cmd = new SqlCommand();

                cmd.Connection = con;

                cmd.CommandType = System.Data.CommandType.StoredProcedure;

                cmd.CommandText = "dbo.IsValidUser";

                cmd.Parameters.AddWithValue("@UserName", username);

                cmd.Parameters.AddWithValue("@Password", password);

                con.Open();

                SqlDataReader dr = cmd.ExecuteReader();

                if (dr.Read())

                {

                    ret = dr.GetBoolean(0);

                }

            }

            catch (Exception)

            {

                

            }

            return ret;

        }

*Please note that you should not store passwords openly in your database, if any body can hack into it they can steal it.

Thanks,
Debata

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Nithadeepak on: 6/9/2011 [Member] Bronze | Points: 50

0	Hi Akiii, You can encrypt the credentials using the FormsAuthentication class's HashPasswordForStoringInConfigFile method. This method uses the SHA1 or MD5 algorithms to encrypt data, as shown below: Password = FormsAuthentication.HashPasswordForStoringInConfigFile(Password, "SHA1"); just go through this .... http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.hashpasswordforstoringinconfigfile.aspx Nitha Deepak Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Hi Akiii,

You can encrypt the credentials using the FormsAuthentication class's HashPasswordForStoringInConfigFile method. This method uses the SHA1 or MD5 algorithms to encrypt data, as shown below:
Password = FormsAuthentication.HashPasswordForStoringInConfigFile(Password, "SHA1");

just go through this ....

http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.hashpasswordforstoringinconfigfile.aspx

Nitha Deepak

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Nithadeepak on: 6/13/2011 [Member] Bronze | Points: 50

0	pls go through the links... http://www.dotnetfunda.com/articles/article1354-encryption-and-decryption-using-cryptography-application-block-in-enterpris-.aspx http://www.dotnetfunda.com/articles/article1356-cryptography-application-block-in-enterprise-library-50-part-2-.aspx http://www.dotnetfunda.com/articles/article1353-implementing-encryption-and-decryption-in-windows-and-web-application-.aspx first you encrypt the password and then store it in the database. Nitha Deepak Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

pls go through the links...

http://www.dotnetfunda.com/articles/article1354-encryption-and-decryption-using-cryptography-application-block-in-enterpris-.aspx
http://www.dotnetfunda.com/articles/article1356-cryptography-application-block-in-enterprise-library-50-part-2-.aspx

http://www.dotnetfunda.com/articles/article1353-implementing-encryption-and-decryption-in-windows-and-web-application-.aspx

first you encrypt the password and then store it in the database.

Nitha Deepak

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/9/2011 [Member] Bronze | Points: 25

0	Hi narayan.... i am looking into your code.....i will get back to you asap.... in the meantime....you said that storing password openly will lead to problems.......surely but what are the ways in which i can encrypt that and how will i retrieve the encrypted value from the database...? As always thanks for ur constant support! Regards Akiii Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Hi narayan....

i am looking into your code.....i will get back to you asap....
in the meantime....you said that storing password openly will lead to problems.......surely but what are the ways in which i can encrypt that and how will i retrieve the encrypted value from the database...?

As always thanks for ur constant support!

Regards
Akiii

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Ndebata on: 6/9/2011 [Member] Starter | Points: 25

0	Hello Akiii, As there are many ways to do this. One could be like this ( generates a random salt then combines with the password then hashes it). You can add your own logic here. :) http://www.blackwasp.co.uk/SaltedPasswordHashing_2.aspx Thanks, Debata Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Akiii on: 6/9/2011 [Member] Bronze | Points: 25

0	I am attaching the project for your perusal.. Akiii Download source file Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Akiii on: 6/10/2011 [Member] Bronze | Points: 25

0	hi nitha.... its a good link.... i made a web-project and executed the code and its working fine.... But can you tell me where the hashpassword is being stored...because i cant find it in web.config file ? Thanks and Regards Akiii Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Nithadeepak on: 6/10/2011 [Member] Bronze | Points: 25

0	The HashPasswordForStoringInConfigFile method creates a hashed password value that can be used when storing forms-authentication credentials in the configuration file for an application. With Forms Authentication we can store usernames and passwords in the login code itself, the web.config file , a database, or an XML file. <?xml version="1.0"?> <configuration> <system.web> <authentication mode="Forms"> <forms> <credentials passwordFormat="Clear"> <user name="admin" password="password" /> //here you can use hashed password </credentials> </forms> </authentication> <authorization> <deny users="?"/> </authorization> </system.web> </configuration> For more detailed explanation, refer http://www.codefixer.com/asp-net/tutorials/asp-net-login-with-forms-authentication.asp Nitha Deepak Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

The HashPasswordForStoringInConfigFile method creates a hashed password value that can be used when storing forms-authentication credentials in the configuration file for an application.
With Forms Authentication we can store usernames and passwords in the login code itself, the web.config file , a database, or an XML file.

<?xml version="1.0"?>

<configuration>

 <system.web>

  <authentication mode="Forms">

   <forms>

     <credentials passwordFormat="Clear">

        <user name="admin" password="password" />  //here you can use hashed password

     </credentials>

   </forms>

  </authentication>

<authorization>

 <deny users="?"/>

</authorization>

</system.web>

</configuration>

For more detailed explanation, refer http://www.codefixer.com/asp-net/tutorials/asp-net-login-with-forms-authentication.asp

Nitha Deepak

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/10/2011 [Member] Bronze | Points: 25

0	Hi nitha... I tired your link.....but i am not being able to do one thing....that is.. Suppose i login via a valid username and password......then i want to persist the login even if i close the browser...!! Please tell me how to do this...? Your link contains that one but i am not being able to do that...! Thanks for ur support... Akiii Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Hi nitha...

I tired your link.....but i am not being able to do one thing....that is..
Suppose i login via a valid username and password......then i want to persist the login even if i close the browser...!!
Please tell me how to do this...?

Your link contains that one but i am not being able to do that...!

Thanks for ur support...
Akiii

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Nithadeepak on: 6/10/2011 [Member] Bronze | Points: 25

0	You can config the session timeout at web.config < sessionState mode="InProc" cookieless="false" timeout="20" /> http://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.71).aspx Nitha Deepak Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Akiii on: 6/13/2011 [Member] Bronze | Points: 25

0	Hi nitha, Thanks for the link..... i successfully build my project using < sessionState mode="InProc" cookieless="false" timeout="20" /> Just tell me is it a good practice to store password in web.config file by encrypting it ? Thanks and regards Akiii Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Akiii on: 6/13/2011 [Member] Bronze | Points: 25

0	Hi, when i am taking the password from the textbox2.....then how will i encrypt it and store it in the database.....? Regards Akiii Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Nithadeepak on: 6/13/2011 [Member] Bronze | Points: 25

0	I think it is better to store the credentials in database( in encrypted form) if you have to store so many credentials(ie, if your application allows visitors to register then u have to store unlimited number of credentials). If there is only one or two users to log in to your application, then store it in web.config. Its only my thinkings... Pls correct me if i am wrong. Nitha Deepak Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

I think it is better to store the credentials in database( in encrypted form) if you have to store so many credentials(ie, if your application allows visitors to register then u have to store unlimited number of credentials).

If there is only one or two users to log in to your application, then store it in web.config.

Its only my thinkings...
Pls correct me if i am wrong.

Nitha Deepak

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 6/13/2011 [Member] Bronze | Points: 25

0	yes you are right....its better to store in database if there is huge amount of data unless its okay to store that in web.config... Could you please tell me how to store encrypt password in a database..?? Akiii Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Akiii on: 6/13/2011 [Member] Bronze | Points: 25

0	Hi nitha.... thanks for the links..... i got my password encrypted and decrypted..... Thanks for ur constant support... Regards Akiii Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Nithadeepak on: 6/13/2011 [Member] Bronze | Points: 25

0	Akiiii.........., If you got the correct solution, pls mark it as resolved. Nitha Deepak Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Latest Posts