here registration page encryption method. encrypted password:
protected void page_load(object sender, eventargs e) { if (ispostback) { sqlconnection conn = new sqlconnection(configurationmanager.connectionstrings["registrationconnectionstring"].connectionstring); conn.open(); string checkuser = "select count(*) userdata username = '" + txtuser.text + "'"; sqlcommand scm = new sqlcommand(checkuser, conn); int temp = convert.toint32(scm.executescalar().tostring()); if (temp == 1) // check if user exist. { response.write("user existing"); } conn.close(); } } protected void btn_registration_click(object sender, eventargs e) { try { sqlconnection conn = new sqlconnection(configurationmanager.connectionstrings["registrationconnectionstring"].connectionstring); conn.open(); string insertquery = "insert userdata(username,firstname,lastname,email,password,customertype,deliveryaddress,zip,contactnumber)values(@username,@firstname,@lastname,@email,@password,@customertype,@deliveryaddress,@zip,@contactnumber)"; sqlcommand scm = new sqlcommand(insertquery, conn); scm.parameters.addwithvalue("@username", txtuser.text); scm.parameters.addwithvalue("@firstname", txtfn.text); scm.parameters.addwithvalue("@lastname", txtln.text); scm.parameters.addwithvalue("@email", txtemail.text); scm.parameters.addwithvalue("@password", encrypt(txtpw.text)); scm.parameters.addwithvalue("@customertype", radiobuttonlist1.selecteditem.tostring()); scm.parameters.addwithvalue("@deliveryaddress", txtaddress.text); scm.parameters.addwithvalue("@zip", txtzip.text); scm.parameters.addwithvalue("@contactnumber", txtcontact.text); scm.executenonquery(); session["contact"]= txtcontact.text; session["email"] = txtemail.text; session["deliveryaddress"] = txtaddress.text; label_register_success.text = ("registration successful!"); //response.redirect("home.aspx"); conn.close(); } catch (exception ex) { response.write("error:" + ex.tostring()); } } private string encrypt(string cleartext) { string encryptionkey = "makv2spbni99212"; byte[] clearbytes = encoding.unicode.getbytes(cleartext); using (aes encryptor = aes.create()) { rfc2898derivebytes pdb = new rfc2898derivebytes(encryptionkey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 }); encryptor.key = pdb.getbytes(32); encryptor.iv = pdb.getbytes(16); using (memorystream ms = new memorystream()) { using (cryptostream cs = new cryptostream(ms, encryptor.createencryptor(), cryptostreammode.write)) { cs.write(clearbytes, 0, clearbytes.length); cs.close(); } cleartext = convert.tobase64string(ms.toarray()); } } return cleartext; } and here login code decryption method. decrypted password before checking if matches the password input user:
protected void btn_login_click(object sender, eventargs e) { sqlconnection conn = new sqlconnection("data source = 'paulo'; initial catalog=shoppingcartdb;integrated security =true"); conn.open(); string checkuser = "select count(*) userdata username = '" + txtuser.text + "'"; sqlcommand scm = new sqlcommand(checkuser, conn); int temp = convert.toint32(scm.executescalar().tostring()); conn.close(); if (temp == 1) { conn.open(); string checkpassword = "select password userdata username ='" + txtuser.text + "'"; sqlcommand passcom = new sqlcommand(checkpassword, conn); string password = passcom.executescalar().tostring(); password = decrypt(password); if (password == txtpassword.text) { session["new"] = txtuser.text; response.write("<script>alert('logged in')</script>"); response.redirect("ordernow.aspx"); } else { lblcrederror.text = ("credentials dont match"); } } else { lblcrederror.text = ("credentials dont match"); } } private string decrypt(string ciphertext) { string encryptionkey = "makv2spbni99212"; byte[] cipherbytes = convert.frombase64string(ciphertext); using (aes encryptor = aes.create()) { rfc2898derivebytes pdb = new rfc2898derivebytes(encryptionkey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 }); encryptor.key = pdb.getbytes(32); encryptor.iv = pdb.getbytes(16); using (memorystream ms = new memorystream()) { using (cryptostream cs = new cryptostream(ms, encryptor.createdecryptor(), cryptostreammode.write)) { cs.write(cipherbytes, 0, cipherbytes.length); cs.close(); } ciphertext = encoding.unicode.getstring(ms.toarray()); } } return ciphertext; } what missing here? please help. tried input working login gives me error (invalid length base-64 char array or string.) password on nvarchar(max) in database.
your login function needs pull user's password database, , decrypt key. if decrypted password matches entered password let them in.
i use salted hashing though, unless have specific reason able view user's passwords. need compare hashes login.
once password database, pass this.
private string decrypt(string ciphertext) { string encryptionkey = "makv2spbni99212"; byte[] cipherbytes = convert.frombase64string(ciphertext); using (aes encryptor = aes.create()) { rfc2898derivebytes pdb = new rfc2898derivebytes(encryptionkey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 }); encryptor.key = pdb.getbytes(32); encryptor.iv = pdb.getbytes(16); using (memorystream ms = new memorystream()) { using (cryptostream cs = new cryptostream(ms, encryptor.createdecryptor(), cryptostreammode.write)) { cs.write(cipherbytes, 0, cipherbytes.length); cs.close(); } ciphertext = encoding.unicode.getstring(ms.toarray()); } } return ciphertext; } then if ciphertext = user's entered password, log them in.
Comments
Post a Comment