I am working on my Project's Login Validation page, i am also using hashing and salting, after getting salt value i compute the hash value with the user entered password, and send this to sql server to check if password matched, if matched i had output parameter of store procedure to return username and id or that user for passing in session.
But the problem is if i pass the wrong password it doesn't return the valid username and id which is ok, but it executes the Response.Redirect("HomeAppUser.aspx"); page that should not be happened.
string hashpassword = CreatePasswordHash(TxtBxPassword.Text.Trim(),salt);
try
{
db1.sqlcmd = new SqlCommand("uspAppUserLogin");
using (SqlDataAdapter sda = new SqlDataAdapter())
{
db1.sqlcmd.CommandType = CommandType.StoredProcedure;
db1.sqlcmd.Parameters.AddWithValue("@AppUserEmail", TxtBxEmail.Text.Trim());
db1.sqlcmd.Parameters.AddWithValue("@AppUserPassword", hashpassword);
db1.sqlcmd.Parameters.Add("@AppUserID", SqlDbType.Int);
db1.sqlcmd.Parameters.Add("@AppUsername", SqlDbType.VarChar, 10);
db1.sqlcmd.Parameters["@AppUserID"].Direction = ParameterDirection.Output;
db1.sqlcmd.Parameters["@AppUsername"].Direction = ParameterDirection.Output;
db1.sqlcmd.Connection = db1.sqlcon;
db1.sqlcon.Open();
int usercount = (Int32)db1.sqlcmd.ExecuteScalar();
Userid = (int)db1.sqlcmd.Parameters["@AppUserID"].Value;
Username = (string)db1.sqlcmd.Parameters["@AppUsername"].Value;
}
}
catch (Exception ex)
{
ClientScript.RegisterStartupScript(GetType(), "alert", "alert('" +"Invalid Login Details "+ "');", true);
}
finally
{
if (usercount == 0)
{
Session["AppUserName"] = Username;
Session["AppUserID"] = Userid;
Response.Redirect("HomeAppUser.aspx");
}
else
{
db1.sqlcon.Close();
}
}
CREATE PROC uspAppUserLogin
@AppUserEmail varchar(50),@AppUserPassword varchar(max),@AppUserID int OUT,@AppUsername Varchar(25) OUT
AS
BEGIN
SET NOCOUNT ON;
SELECT COUNT(*) FROM TblAppUser Where Email = @AppUserEmail and UserPassword = @AppUserPassword
SET @AppUserID =(Select UserId From TblAppUser Where Email = @AppUserEmail and UserPassword = @AppUserPassword)
SET @AppUsername =(Select UserName From TblAppUser Where Email = @AppUserEmail and UserPassword = @AppUserPassword)
INSERT INTO TblLoginDetails (UserId,LoginDate) VALUES (@AppUserID,GETDATE())
END