Salt & Un-Salt password Value to HiddenField
Hello Experts,
Please see my attached Login and Forgot Password Code below. I need to give users the ability to retrieve their password if they forget it by entering their username and if the username is in the system it will send an email with their password using the usernames email that they entered when they created their account.
Please note: Login CodeBehind works fine. Also, I was able to get the code to work by modifying the original Login code for the Password Retrieveal and when I try to retrieve the password I get the password which is not decrypted or un-salted.
Please see my attached Login and Forgot Password Code below. I need to give users the ability to retrieve their password if they forget it by entering their username and if the username is in the system it will send an email with their password using the usernames email that they entered when they created their account.
Please note: Login CodeBehind works fine. Also, I was able to get the code to work by modifying the original Login code for the Password Retrieveal and when I try to retrieve the password I get the password which is not decrypted or un-salted.
LOGIN CODEBEHIND:
using System;
using System.Configuration;
using System.Collections.Generic;
using System.Data;
using System.Data.SqlClient;
using System.IO;
using System.Net.Mail;
using System.Net.NetworkInformation;
using System.Security.Cryptography;
using System.Text;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security;
public partial class programinfo_ghap_login : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void btn_ProgramInfoSignIn_Click(object sender, EventArgs e)
{
//Retrieve the guid from db
string guid = String.Empty;
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["HealthCourses"].ConnectionString))
{
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "HealthCourses_LoginPassSalt";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Connection = conn;
cmd.Parameters.AddWithValue("@users_username", SqlDbType.VarChar).Value = txtUserName.Text;
DataTable dtGuid = new DataTable();
SqlDataAdapter adp = new SqlDataAdapter();
adp.SelectCommand = cmd;
adp.Fill(dtGuid);
if (dtGuid != null && dtGuid.Rows.Count > 0)
{
guid = dtGuid.Rows[0]["users_password_salt"].ToString();
SqlCommand cmdClientLogin = new SqlCommand();
cmdClientLogin.CommandText = "HealthCourses_Login";
cmdClientLogin.CommandType = CommandType.StoredProcedure;
cmdClientLogin.Connection = conn;
cmdClientLogin.Parameters.AddWithValue("@users_username", SqlDbType.VarChar).Value = txtUserName.Text;
cmdClientLogin.Parameters.AddWithValue("@users_password", SqlDbType.VarChar).Value = SHA512_HASH.ComputeSHA512Hash(txtPassword.Text + guid);
conn.Open();
SqlDataReader rdr = cmdClientLogin.ExecuteReader();
if (rdr.HasRows && rdr.Read())
{
rdr.Close();
conn.Close();
Session["UserNameSessionID"] = txtUserName.Text;
FormsAuthentication.RedirectFromLoginPage(txtPassword.Text, false);
}
}
else
{
lblSignInError.Text = "Invalid Credentials!";
}
}
}
}
LOGIN STORED PROCEDURES:
ALTER PROCEDURE [dbo].[HealthCourses_LoginPassSalt]
(
@users_username varchar(50)
)
AS
SELECT users_username, users_password_salt
FROM dbo.HealthCourses_Users
WHERE users_username = @users_username
ALTER PROCEDURE [dbo].[HealthCourses_Login]
(
@users_username varchar(50),
@users_password varchar(50)
)
AS
SELECT users_password
FROM dbo.HealthCourses_Users
WHERE users_username = @users_username AND users_password = @users_passwordRETRIEVE PASSWORD CODEBEHIND:
using System;
using System.Configuration;
using System.Collections.Generic;
using System.Data;
using System.Data.SqlClient;
using System.IO;
using System.Net.Mail;
using System.Net.NetworkInformation;
using System.Security.Cryptography;
using System.Text;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security;
public partial class programinfo_ghap_forgotpassword : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void btn_ForgotPassword_Click(object sender, EventArgs e)
{
string guid = String.Empty;
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["HealthCourses"].ConnectionString))
{
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "HealthCourses_LoginPassSalt";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Connection = conn;
cmd.Parameters.AddWithValue("@users_username", SqlDbType.VarChar).Value = txtUsername.Text;
DataTable dtGuid = new DataTable();
SqlDataAdapter adp = new SqlDataAdapter();
adp.SelectCommand = cmd;
adp.Fill(dtGuid);
if (dtGuid != null && dtGuid.Rows.Count > 0)
{
guid = dtGuid.Rows[0]["users_password_salt"].ToString();
SqlCommand cmdClientLogin = new SqlCommand();
cmdClientLogin.CommandText = "HealthCourses_Login2";
cmdClientLogin.CommandType = CommandType.StoredProcedure;
cmdClientLogin.Connection = conn;
cmdClientLogin.Parameters.AddWithValue("@users_username", SqlDbType.VarChar).Value = txtUsername.Text;
// cmdClientLogin.Parameters.AddWithValue("@users_password", SqlDbType.VarChar).Value = SHA512_HASH.ComputeSHA512Hash(hf_password.Value + guid);
conn.Open();
SqlDataReader rdr = cmdClientLogin.ExecuteReader();
if (rdr.HasRows && rdr.Read())
{
hf_email.Value = rdr["users_email"].ToString();
hf_password.Value = rdr["users_password"].ToString() + guid;
SmtpClient smtpClient = new SmtpClient();
MailMessage message = new MailMessage();
// Prepare email address
MailAddress fromAddress = new MailAddress("bpsupport@nndsonline.org", "BP Support");
MailAddress toAddress = new MailAddress(HttpUtility.HtmlEncode(hf_email.Value));
//MailAddress toAddress = new MailAddress("bpsupport@nndsonline.org", "BP Support");
//Dim ccAddress As New MailAddress("first.last@nndsonline.org", "First Last")
message.From = fromAddress;
message.To.Add(toAddress);
//message.CC.Add(ccAddress)
//message.Subject = HttpUtility.HtmlEncode(txtYourEmail.Text);
message.Subject = "Retrieve Password";
message.IsBodyHtml = true;
message.Body = "<html><head><title>" + "</title></head><body>" + "<p>" + "<span style=\"font-size: 16px; color: #780028; font-family: Arial\"><p><b>Password Retrieve:</b></p></span>" + "<br />" + "<span style=\"font-size: 14px; color: #780028; font-family: Arial\"><b>Organization Name: </b><font face='arial' color='#666666'>" + HttpUtility.HtmlEncode(hf_password.Value) + "</body></html>";
smtpClient.Host = "mail.nndsonline.org";
smtpClient.Send(message);
rdr.Close();
conn.Close();
}
}
else
{
lblUsernameError.Text = "Invalid Credentials!";
}
}
}
}
RETRIEVE PASSWORD STORED PROCEDURES:
ALTER PROCEDURE [dbo].[HealthCourses_LoginPassSalt]
(
@users_username varchar(50)
)
AS
SELECT users_username, users_password_salt
FROM dbo.HealthCourses_Users
WHERE users_username = @users_username
ALTER PROCEDURE [dbo].[HealthCourses_Login2]
(
@users_username varchar(50)
)
AS
SELECT users_password, users_email
FROM dbo.HealthCourses_Users
WHERE users_username = @users_usernameASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Expert never came back to assist.
ASKER
Sorry, I believe that I'm already storing the password as a hash. Would you be able to help me with my code in regards to retrieving the password and then decrypt it using the salt value?
Also not sure what you mean by never display the guid in the application. Could you explain further or correct it in my code?