ASP.Net: Validate Login with encrypted password from Database using C#

RichardS...

SOLVED CLOSED ACTIVE ANSWERED
User: RichardSa
Posted: on Jan 13, 2023 06:42 AM
Forum: ASP.Net Web Forms
Answer: 2
Views: 2451

Hello forum,

If I have an encrypted password in my database how can I use the same encryption to check the password and login?

Here is my login and encryption code

private bool ValidateUser(string email, string pass)
{
    SqlConnection conn;
    SqlCommand cmd;
    string lookupPassword = null;
 
    // Check for invalid userName.
    // userName must not be null and must be between 1 and 15 characters.
    if ((null == email) || (0 == email.Length) || (email.Length > 15))
    {
        System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed.");
        return false;
    }
 
    // Check for invalid passWord.
    // passWord must not be null and must be between 1 and 25 characters.
    if ((null == pass) || (0 == pass.Length) || (pass.Length > 25))
    {
        System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed.");
        return false;
    }
 
    try
    {
        // Consult with your SQL Server administrator for an appropriate connection
        // string to use to connect to your local SQL Server.
        conn = new SqlConnection("Data Source=(LocalDB)\\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\\AuthenticationTestDatabase.mdf;Integrated Security = True");
        conn.Open();
 
        // Create SqlCommand to select pwd field from users table given supplied userName.
        cmd = new SqlCommand("Select pass from Users where email=@email", conn);
        cmd.Parameters.Add("@email", SqlDbType.VarChar, 25);
        cmd.Parameters["@email"].Value = email;
 
        // Execute command and fetch pwd field into lookupPassword string.
        lookupPassword = (string)cmd.ExecuteScalar();
 
        // Cleanup command and connection objects.
        cmd.Dispose();
        conn.Dispose();
    }
    catch (Exception ex)
    {
        // Add error handling here for debugging.
        // This error message should not be sent back to the caller.
        System.Diagnostics.Trace.WriteLine("[ValidateUser] Exception " + ex.Message);
    }
 
    // If no password found, return false.
    if (null == lookupPassword)
    {
        // You could write failed login attempts here to event log for additional security.
        return false;
    }
 
    // Compare lookupPassword and input passWord, using a case-sensitive comparison.
    return (0 == string.Compare(lookupPassword, pass, false));
}
 
private void CmdLogin_ServerClick(object sender, System.EventArgs e)
{
    if (ValidateUser(txtUserName.Value, txtUserPass.Value))
        FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, chkPersistCookie.Checked);
    else
        Response.Redirect("logon.aspx", true);
}

Encryption

private string Decrypt(string cipherText)
{
    string EncryptioKey = "MAKV2SPBNI99212";
    byte[] cipherbytes = Convert.FromBase64String(cipherText);
 
    using (Aes encryptor = Aes.Create())
    {
        Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptioKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
        encryptor.Key = pdb.GetBytes(32);
        encryptor.IV = pdb.GetBytes(16);
        using (MemoryStream ms = new MemoryStream())
        {
            using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateDecryptor(), CryptoStreamMode.Write))
            {
                cs.Write(cipherbytes, 0, cipherbytes.Length);
                cs.Close();
            }
            cipherText = Encoding.Unicode.GetString(ms.ToArray());
        }
    }
    return cipherText;
}

Download FREE API for Word, Excel and PDF in ASP.Net

PrinceG

0 3

Reply
ANSWER
User: PrinceG
Replied: on Jan 16, 2023 04:14 AM
Modified: on Jan 16, 2023 04:26 AM
Report

Hi RichardSa,

Note: For this sample i have used below article. For more details refer

In this sample, you see that I have an encrypted password in my database and, using the same encryption method, I was checking the login credentials.

Please refer below sample.

HTML

Login

<div class="row">
    <div class="col-sm-5">
        <div class="container-fluid">
            <br />
            <h2 class="form-signin-heading">LOGIN</h2>
            <div id="dvMessage" runat="server" visible="false" class="alert alert-danger">
                <strong><i class="fad fa-exclamation-square" aria-hidden="true"></i>&nbsp;</strong>
                <asp:Label ID="lblMessage" runat="server" />
            </div>
            <label for="txtUsername">UserName</label>
            <asp:TextBox ID="txtUsername" runat="server" CssClass="form-control" Font-Size="11pt" placeholder="UserName" Width="30%" /><br />
            <br />
            <label for="txtPassword">Password</label>
            <asp:TextBox ID="txtPassword" runat="server" TextMode="Password" CssClass="form-control" Font-Size="11pt" placeholder="Password" /><br />
            <a href="#">Forgotten Password?</a>
            <br />
            <br />
            <asp:Button ID="Button1" runat="server" CssClass="btn btn-primary" BackColor="#32657c" Text="Login" OnClick="ValidateUser" />
            <br />
            <br />
        </div>
        <br />
    </div>
</div>

Home

<h1>Home</h1>
<asp:Label ID="lblMessage" runat="server"></asp:Label>

Namespaces

using System.IO;
using System.Text;
using System.Data;
using System.Web.Security;
using System.Configuration;
using System.Data.SqlClient;
using System.Security.Cryptography;

Code

Login

protected void Page_Load(object sender, EventArgs e)
{
    if (!this.IsPostBack)
    {
        if (this.Page.User.Identity.IsAuthenticated)
        {
            FormsAuthentication.SignOut();
            Response.Redirect("~/Login.aspx");
        }
    }
}

protected void ValidateUser(object sender, EventArgs e)
{
    if (!string.IsNullOrEmpty(txtUsername.Text) & !string.IsNullOrEmpty(txtPassword.Text))
    {
        string constring = ConfigurationManager.ConnectionStrings["constr"].ConnectionString;
        using (SqlConnection con = new SqlConnection(constring))
        {
            using (SqlCommand cmd = new SqlCommand("SELECT Username,Password FROM Users WHERE Username = @Username AND Password = @Password", con))
            {
                con.Open();
                cmd.Parameters.AddWithValue("@Username", txtUsername.Text.Trim());
                cmd.Parameters.AddWithValue("@Password", Encrypt(txtPassword.Text.Trim()));
                string userId = Convert.ToString(cmd.ExecuteScalar());
                con.Close();

                //checks to see if logi details are correct
                if (!string.IsNullOrEmpty(userId))
                {
                    string users = "";
                    //checks to see if account has been activated
                    using (SqlCommand cmd1 = new SqlCommand("SELECT Password FROM Users WHERE Username = @Username"))
                    {
                        cmd1.CommandType = CommandType.Text;
                        cmd1.Parameters.AddWithValue("@Username", userId);
                        cmd1.Connection = con;
                        con.Open();
                        users = Convert.ToString(cmd1.ExecuteScalar());
                        con.Close();
                    }
                    if (!string.IsNullOrEmpty(users))
                    {
                        string user = "";
                        using (SqlCommand cmd2 = new SqlCommand("SELECT Username,Password FROM Users WHERE Username = @Username AND Password = @Password"))
                        {
                            cmd2.CommandType = CommandType.Text;
                            cmd2.Parameters.AddWithValue("@Username", txtUsername.Text.Trim());
                            cmd2.Parameters.AddWithValue("@Password", Encrypt(txtPassword.Text.Trim()));
                            cmd2.Connection = con;
                            con.Open();
                            user = Convert.ToString(cmd2.ExecuteScalar());
                            con.Close();
                        }
                        if (user != "")
                        {
                            Session["user"] = user;
                            FormsAuthentication.RedirectFromLoginPage(user, true);
                        }
                    }
                    else
                    {
                        dvMessage.Visible = true;
                        lblMessage.Visible = true;
                        lblMessage.ForeColor = System.Drawing.Color.Red;
                        lblMessage.Text = "Account has not been activated";
                        txtPassword.Text = "";
                        txtPassword.Focus();
                    }
                }
                else
                {
                    dvMessage.Visible = true;
                    lblMessage.Visible = true;
                    lblMessage.ForeColor = System.Drawing.Color.Red;
                    lblMessage.Text = "Invalid Login Details";
                    txtPassword.Text = "";
                    txtPassword.Focus();
                }
            }
        }
    }

    else
    {
        dvMessage.Visible = true;
        lblMessage.Visible = true;
        lblMessage.ForeColor = System.Drawing.Color.Red;
        lblMessage.Text = "All Fields are Required";
    }
}

private string Encrypt(string clearText)
{
    string encryptionKey = "MAKV2SPBNI99212";
    byte[] clearBytes = Encoding.Unicode.GetBytes(clearText);
    using (Aes encryptor = Aes.Create())
    {
        Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(encryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
        encryptor.Key = pdb.GetBytes(32);
        encryptor.IV = pdb.GetBytes(16);
        using (MemoryStream ms = new MemoryStream())
        {
            using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write))
            {
                cs.Write(clearBytes, 0, clearBytes.Length);
                cs.Close();
            }
            clearText = Convert.ToBase64String(ms.ToArray());
        }
    }
    return clearText;
}

Home

protected void Page_Load(object sender, EventArgs e)
{
    if (this.Page.User.Identity.IsAuthenticated)
    {
        lblMessage.Text = Session["user"].ToString();
    }            
}

Screenshot

I agree, here is the link: https://www.e-iceblue.com/Introduce/spire-office-for-net-free.html

ASP.Net: Validate Login with encrypted password from Database using C#

Role based Authorization and Authentication in ASP.Net

Company

Explore

Follow us

Contact Us