someone to tell me why I can't log in, please

Question

User1868696603 posted

 byte[] passwordAndSalt = System.Text.Encoding.UTF8.GetBytes(Pass + Salt);
before I post my entire where does the pass and salt variable comes from?

code

  try
            {

                string usernameT = TxtUsername.Text;
                string passwordP = TxtPass.Text;

                string CS = ConfigurationManager.ConnectionStrings["Reg"].ConnectionString;
                using (SqlConnection con = new SqlConnection(CS))
                {
                    string query = "select username, Pword, Salt from Enter where username=@Username ";
                    SqlCommand cmd = new SqlCommand(query, con);
                    cmd.Parameters.AddWithValue("@Username", usernameT);
                    SqlDataAdapter adap = new SqlDataAdapter(cmd);
                    DataTable dt = new DataTable();
                    adap.Fill(dt);

                    string pwd_db = dt.Rows[0]["Pword"].ToString();
                    string Salt = dt.Rows[0]["Salt"].ToString();
                    byte[] passwordAndSalt = System.Text.Encoding.UTF8.GetBytes(pwd_db + Salt);
                    byte[] hashBytes = new System.Security.Cryptography.SHA256Managed().ComputeHash(passwordAndSalt);
                    string hashString = Convert.ToBase64String(hashBytes);

                    if (hashString == pwd_db)
                    {
                        Response.Redirect("~/Navbar.aspx");
                    }

                    else
                    {
                        LblMessage.Text = "invalid username or password";
                    }
                }
            }
            catch (Exception ex)
            {
                ex.Data.Clear();
            }
        }

Answer 1

User-939850651 posted

Hi mmm@gmail.com86,

Based on the information you have provided now, I am afraid I cannot reproduce your problem, because I am not sure what parameters are stored in your data sheet and how you operated in the test.

First, after you pass the userName parameter entered by the user, and then query the data table, you directly start to get the columns' values in the datatable, but you still don't know whether the data table contains data (whether the userName exists). And This exception will be caught and a response will be returned directly.

Before getting the data, you can judge whether there are data rows in the data table, something like this:

if (dt.Rows.Count > 0) 
{
 //some code here
}

Second, after you have obtained the user information, have you checked the hashed value entered by the user? Is it the same as the data stored in the data table?

I think you should use the debugger in Visual Studio to view the specific details of the code running.

If I misunderstood something, could you provided more details so that we can reproduce your problem and search for any solutions for this issue?

Best regards,

Xudong Peng

Answer 2

User753101303 posted

Hi,

You should have an account creatiion page that saves user information to the dtatabase (but the login page doesn't exist yet ???). The salt is perhaps before the password?

Though you have a learing curve depending on your priorr experience you may want to search for "ASP.NET Identiity" that handles that out of the box and that can be customized.

Edit: BTW you are doing nothing in your catch clause which is bad. If you have an exception it will be just hiidden. This is why also it is always best to tell what happens when shwoing code. For now I assume you do see the "invalid username or password". I assume also that you have seen that the produced hash doesn't match.