Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > FormAuthentication hashed passwords

Reply
Thread Tools

FormAuthentication hashed passwords

 
 
bthumber
Guest
Posts: n/a
 
      10-30-2008
I am try to authenication userID and password, I check the spelling of both
userID and password. The problem is it is always false and I know I typed
in the correct data. How am I doing wrong??? Here is my code:

private bool VerifyPasswords(string suppliedUserName, string
suppliedPassword)
{
bool passwordMatch = false;

string connection =
WebConfigurationManager.AppSettings["ConnectionString"];
SqlConnection cn = new SqlConnection(connection);
SqlCommand cmd = new SqlCommand("LookupUser", cn);
cmd.CommandType = CommandType.StoredProcedure;

SqlParameter sqlParam = cmd.Parameters.Add("@username",
SqlDbType.NVarChar, 50);
sqlParam.Value = suppliedUserName;

try
{
cn.Open();
SqlDataReader reader = cmd.ExecuteReader();
reader.Read(); // Advance to the one and only row

// Return output parameters from returned data stream
string dbPasswordHash = reader.GetString(0);
int saltSize = 5;
string salt = dbPasswordHash.Substring(dbPasswordHash.Length -
saltSize);
reader.Close();

string hashedPasswordAndSalt =
CreatePasswordHash(suppliedPassword, salt);
passwordMatch = hashedPasswordAndSalt.Equals(dbPasswordHash);
}
catch (Exception ex)
{
throw new Exception("Exception verifying password. " +
ex.Message);
}
finally
{
cn.Close();
}
return passwordMatch;
}

protected void btnLogin_Click(object sender, EventArgs e)
{
bool passwordVerified = false;

try
{
passwordVerified = VerifyPasswords(txtUID.Text, txtPW.Text);
}
catch (Exception ex)
{
lblMessage.Text = ex.Message;
return;
}

if (passwordVerified == true)
{
lblMessage.Text = "Logon successful: user is authenticated";
}
else
{
lblMessage.Text = "Invalid username or password.";
}
}
///////////////////////////////////////////////////////////////////////////////

ALTER PROCEDURE LookupUser
@username nvarchar(50)
AS
SELECT PasswordHash FROM CshipUsers WHERE UserName = @username

//////////////////////////////////////////////////////////////////////////////

private static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = String.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfig File(saltAndPwd, "SHA1");
hashedPwd = String.Concat(hashedPwd, salt);

return hashedPwd;
}


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SqlMembershipProvider and Hashed Passwords Glenn ASP .Net 0 06-28-2007 03:29 PM
SQLMembershipProvider: Comparing Hashed Passwords nigeaman ASP .Net Security 7 03-07-2006 03:00 AM
Advice on converting hashed packages to pseudo-hashed packages Ian Perl Misc 3 02-12-2005 12:17 AM
Strange behaviour with formauthentication and breakpoints T-Bone ASP .Net 1 11-24-2004 01:46 PM
Timeout not working for Formauthentication tfs ASP .Net 1 06-27-2004 07:02 AM



Advertisments