Click here to Skip to main content
15,358,603 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
I have a code behind the login form that checks the database to see if the username and password exists. If the username does not exist a message is displayed. If the username is correct and the password is wrong a message is displayed. The messages are not displaying when the wrong password is entered. Second, I have a code in place for unsuccessful attempts for login. When a username and password are unsuccessful the username account locks but when you try another username the message displays saying Account is locked. How do I reset the count on a different username?

C#
protected void Page_Load(object sender, EventArgs e)
    {
        TextBoxEA.Focus();

        if (!IsPostBack)
        {
            Session["counter"] = 0;     
        }
        else
        {
            Session["counter"] = Convert.ToInt32(Session["counter"]) + 1;

            using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
            {
                con.Open();

                string cmdStr = "Select count(*) from Table22 where EmailAddress=@TextBoxEA";
                SqlCommand sqlCmd = new SqlCommand(cmdStr, con);
                sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                int userExists = (int)sqlCmd.ExecuteNonQuery();

                cmdStr = "Select count(*) from Table22 where EmailAddress = @TextBoxEA AND Password = @TextBoxPW";
                sqlCmd = new SqlCommand(cmdStr, con);
                sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                sqlCmd.Parameters.Add("@TextBoxPW", TextBoxPW.Text);
                int correctPassword = (int)sqlCmd.ExecuteNonQuery();

                

                string msg = "";
                if (userExists == 0)
                    msg = "alert('User Name Does Not Exist You Must Fill Out Registration First');";
                else if (correctPassword == 0)
                    msg = "alert('Invalid UserName / Password');";
                else if (Convert.ToInt32(Session["counter"]) >= 3)
                {
                    msg = "alert('The Account is Locked Please call the Administrator');";

                    cmdStr = "Update Table22 SET isLocked = 1 where EmailAddress = @TextBoxEA";
                    sqlCmd = new SqlCommand(cmdStr, con);
                    sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                    sqlCmd.ExecuteNonQuery();
                }
                if (msg.Length > 0)
                {
                    ScriptManager.RegisterStartupScript(this, this.GetType(), "script", msg, true);
                    TextBoxEA.Text = string.Empty;
                }
                con.Close();
            } 

        }
    }
Posted
Updated 30-May-14 4:29am
v2
Comments

To answer the second part of your question, the messages no longer appear because you have changed the
C#
int userExists = (int)sqlCmd.ExecuteScalar();
that I gave you in a previous post[^] to
C#
int userExists = (int)sqlCmd.ExecuteNonQuery();


ExecuteNonQuery[^] will return the number of rows affected for inserts/updates/deletes but for all other types of command (e.g. Select count(*)) it returns -1.
Thus
VB
if (userExists == 0)
is never true
   
Store the "username" they tried in the session as well as the count. Then check if it was the same. if it wasn't, reset the count.

But...you shouldn't.
If someone is trying to hack his way in, all he has to do is try three times, then try a different name three times, then back to the original, then the second, and so forth. Better to fail the way you are and refuse to let him try. And lock the actual account he is trying, and use a cookie to slow him down.

And please, don't do passwords like that! Well done on using parameterised queries, but...passwords stored as text is a major security risk. See here: Password Storage: How to do it.[^]

[edit]And one more thing: never report separate messages for bad username and bad password - use the same message so wannabes can't tell if they have a valid username.[/edit]
   
v2
Comments
Computer Wiz99 29-May-14 14:23pm
   
OriginalGriff, Thanks but how do I correct my problem? In code.
CHill60 30-May-14 10:40am
   
Basically OG is saying that you shouldn't fix the problem. If you close the browser/tab and re-enter the site then it will reset. Otherwise a hacker would just keep on trying until they get into your site and cause untold damage
Computer Wiz99 30-May-14 10:45am
   
Ok. I have that part but why doesn't any of my messages pop up when the incorrect username and password are entered? And the message for the username does not exist does not pop up also. How can I fix these?
CHill60 30-May-14 11:31am
   
Put a breakpoint on the line string msg = ""; and view your page. When execution stops examine the values of userExists and correctPassword
CHill60 30-May-14 11:44am
   
Posted a solution to that part
Computer Wiz99 30-May-14 11:53am
   
I have an updated solution and a question about it.
CHill60 30-May-14 10:38am
   
:laugh: The parameterised queries were courtesy of my solution to a previous post :-)
RDBurmon 30-May-14 11:28am
   
good solution
This is what I did to get the messages to pop back up and it works but the account lock will not. How can I fix this to keep everything going?

C#
if (!IsPostBack)
        {
            Session["counter"] = 0;     
        }
        else
        {
            Session["counter"] = Convert.ToInt32(Session["counter"]) + 1;

            using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
            {
                con.Open();

                string cmdStr = "Select count(*) from Table22 where EmailAddress=@TextBoxEA";
                SqlCommand userExist = new SqlCommand(cmdStr, con);
                SqlCommand cmd = new SqlCommand("select EmailAddress from Table22", con);
                userExist.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());

                cmdStr = "Select count(*) from Table22 where EmailAddress = @TextBoxEA AND Password = @TextBoxPW";
                userExist = new SqlCommand(cmdStr, con);
                userExist.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                userExist.Parameters.Add("@TextBoxPW", TextBoxPW.Text);
                int temp2 = Convert.ToInt32(userExist.ExecuteScalar().ToString());

                

                string msg = "";
                if (temp == 0)
                    msg = "alert('User Name Does Not Exist You Must Fill Out Registration First');";
                else if (temp == 1)
                    msg = "alert('Invalid UserName / Password');";
                else if (Convert.ToInt32(Session["counter"]) >= 3)
                {
                    msg = "alert('The Account is Locked Please call the Administrator');";

                    cmdStr = "Update Table22 SET isLocked = 3 where EmailAddress = @TextBoxEA";
                    userExist = new SqlCommand(cmdStr, con);
                    userExist.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                    userExist.ExecuteNonQuery();
                }
                if (msg.Length > 0)
                {
                    ScriptManager.RegisterStartupScript(this, this.GetType(), "script", msg, true);
                    TextBoxEA.Text = string.Empty;
                }
                con.Close();
            } 

        }
    }
   
Comments
CHill60 30-May-14 12:07pm
   
Change the line userExist.ExecuteNonQuery(); to read int temp1 = userExist.ExecuteNonQuery(); then put a break point on that line. Run your code. When execution stops step over the line and examine the contents of temp1 If it does not equal 1 (or greater) then the database was not updated - there may be a problem with your column isLocked ... is it of type INT for example. Even if that has worked you are not checking to see if the Account was previously locked. See other solutions and comments to your post above to find an alternative method.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900