Check username and password is incorrect in asp.net

Question

User186310208 posted

when user login if username is incorrect then it will show error if password is incorrect its shows error...in my code its is username or password is incorrect then it will show error.. i want for both condition.this all done by Entity Framework.

protected void Button1_Click(object sender, EventArgs e)
{

string UserName = TxtUserName.Text;
WallpaperEntities4 db = new WallpaperEntities4();
string ID = Request.QueryString["Id"];
string query = (from c in db.Users
where c.UserName == TxtUserName.Text && c.Password == TxtPassword.Text
select c.UserName).FirstOrDefault();
if (query != null)
{
Session["UserName"] = UserName;
Response.Redirect("/Walpaper.aspx?username="+UserName);
}
else
LblMesge.Text = "Invalid User";

}

Answer 1

User-939850651 posted

Hi guestadmin,

If you want to achieve such a function, you may need to modify the design of the data table, and the UserName as the query condition should be unique.

When confirming that the user exists, compare whether the password is the same as the data in the table, and then make a corresponding response.

Something like this:

protected void Button1_Click(object sender, EventArgs e)
        {
            string UserName = TxtUserName.Text;
            string Password = TxtPassword.Text;
            WallpaperEntities4 db = new WallpaperEntities4();
            string ID = Request.QueryString["Id"];
            User queryUser = (from c in db.Users
                              where c.UserName == TxtUserName.Text
                              select c.UserName).FirstOrDefault();
            if (query != null)
            {
                if (queryUser.Password == Password)
                {
                    Session["UserName"] = UserName;
                    Response.Redirect("/Walpaper.aspx?username=" + UserName);
                }
                else
                {
                    LblMesge.Text = "Password is incorrect";
                }

            }
            else
                LblMesge.Text = "UserName is incorrect";
        }

Best regards,

Xudong Peng

Answer 2

User753101303 posted

Hi

Usually you show a generic message so that a hacker doesn't know he found a vallid user name and can then focus on finding the password.

Also rather than rolling your own authentication I would suggest to use what ASP.NET offers out of the box (such as NOT string passwords in clear text).

Answer 3

User186310208 posted

this is working code...

protected void Button1_Click(object sender, EventArgs e)
{
using (var context = new WallpaperEntities4())
{
string UserName = Convert.ToString(Session["UserName"]);
User user = (from c in context.Users
where c.UserName == TxtUserName.Text
select c).FirstOrDefault();

if (user == null)
{
LblMesge.Text = "Invalid Username";
}
else if (!user.Password.Equals(TxtPassword.Text))
{
LblMesge.Text = "Invalid Password";
}
else
{

WallpaperEntities4 db = new WallpaperEntities4();
string ID = Request.QueryString["Id"];
Session["UserName"] = UserName;
Response.Redirect("/Walpaper.aspx?username=" + UserName);

}

}