1

I am having an aspx login page(login.aspx) which takes the username and password. On submitting the form, the action attribute redirects to another page(validator.aspx) where I simply want to compare it with database credentials and verify if it is correct. On success, I want to redirect to homepage, else display alert message("Invalid credentials").

Below is the code I have in validator.aspx page: (Please note, I am not using code behind for some reasons. Hence using this aspx page)

<%@ Page Title="" Language="C#" MasterPageFile="~/project/MasterPage.master" %>
<%@ Import Namespace="System.Collections" %>
<%@ Import Namespace="System.Configuration" %>
<%@ Import Namespace="System.Data.SqlClient" %>
<%@ Import Namespace="System.Data" %>

<script runat="server">
private SqlConnection conn;
private SqlCommand cmd;
string uname, upass;
protected void page_Load(object sender, EventArgs e)
{
    uname = Request.QueryString["name"];
    upass = Request.QueryString["pass"];
    string connectionString = ConfigurationManager.ConnectionStrings["myconn"].ToString();
    conn = new SqlConnection(connectionString);
    cmd = new SqlCommand("", conn);
    cmd.Parameters.Add("@username", SqlDbType.VarChar);
    cmd.Parameters["@username"].Value = uname;
    cmd.Parameters.Add("@password", SqlDbType.VarChar);
    cmd.Parameters["@password"].Value = upass;
    string query = "SELECT * FROM mydb.mytable WHERE username = @username AND password = @password";
    try
    {
        conn.Open();
        cmd.CommandText = query;
        SqlDataReader reader = cmd.ExecuteReader();
        if (reader != null)
        {
            Response.Redirect("homepage.html");
        }
        else
        {
            ScriptManager.RegisterClientScriptBlock(this, this.GetType(), "alertMessage", "alert('Invalid Login Credentials');", true);
        }
    }
    finally
    {
        conn.Close();
        }
    }
</script>

<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
</asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
</asp:Content>

The problem is values are not posting and I get error message that username and password expects a value. Can someone tell the resolution for this? Also I want to know if there are any other approaches for achieving this login verification.

Improve this question

2 Answers 2

Reset to default
1

I agree with what @J0e3gan has posted,

but....

stop what you are doing... there be monsters down that path.

What it looks like you are doing is storing passwords as un-encrypted strings. You are only going to invite a world of pain with the way you are approaching this. There are plenty of resources around the web that will help point you in the right direction.

For the basics, starting a new ASP.net (web forms or MVC) (VS 2013) project comes with Authentication built in.

Some blogs that you can read.

ASP.net Identity
Dominick Baier's Blog - leastprivilege.com
Troy Hunt's Blog

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

"The problem is values are not posting" leads one to believe that username and password submission is by HTTP POST; but QueryString["name"] and QueryString["pass"] are (typically) not consistent with this - rather indicative of HTTP GET.

Try changing...

uname = Request.QueryString["name"];
upass = Request.QueryString["pass"];

...to...

uname = Request.Form["name"];
upass = Request.Form["pass"];

...to start.

The other glaring thing that leaps out at me is that you seem to be comparing cleartext passwords - i.e. the one submitted to ones in the database. If you are not comparing password hashes, you should be. One place to start is a related CodeProject article, but SO surely has related content too.

Beyond this, you are probably best off to approach "[whether] there are any other approaches for achieving this login verification" in a distinct, follow-on question - probably on the Programmers SE site being that it is pretty open-ended.

Improve this answer

5 Comments

I'm sorry, I misused the words. I am using method="get" in the form. hence i used QueryString. Nevertheless, I tried changing that to post and using Request.Form too. But it still doesn't work. I am still just testing out how things work. Hence I am comparing the plaintext passwords. I will be performing the encryption at a later phase, when I get the login page working.
@newguy: That makes sense. Have you debugged to inspect Request.Form - whether is contains name and pass form variables with the values you expect? Looking at this again, Request looks suspicious: I suspect you should be using HttpContext.Current.Request instead.
Yes. I tried inspecting as you said. It shows the below values as parameters: ctl00$ContentPlaceHolder1$name:abc ctl00$ContentPlaceHolder1$pass:asd ctl00$ContentPlaceHolder1$submit:Login I think it has something to do with master file. I will try to remove the master page which seems useless in this page.
I removed the master pages which were causing the issue. But Now I am facing a new problem. Can you help me with that? @J0e3gan This error message is very difficult for me to understand :- Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Removing the master page solved the problem. Thanks for your help!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.