how not to check a login [modified]

icewolf_snowfire

this is one of the many gems I'm finding (and fixing) in some third party produced code:

protected void btnLogin_Click(Object s, EventArgs e)
{
bool loginOK = false;
try
{
loginOK = Account.LoginUser(Page, txtUserName.Text, txtPassword.Text);
}
catch (Exception ex)
{
string error = string.Empty;
if (ex.Message == "Invalid attempt to read when no data is present.")
{
error = "Username not found.";
}
else
{
error = ex.Message;
}
lblMessage.Text = error;
return;
}

	if (loginOK == true)
	{
		Response.Redirect("~/Default.aspx");
	}
	else
	{
		**lblMessage.Text = "Password does not match.";**
	}
}

public static bool LoginUser(Page page, string uname, string pass)
{
bool passwordVerified = false;

		try
		{
			passwordVerified = AccountDB.CheckPassword(uname, pass);
		}
		catch (Exception ex)
		{
			throw;
		}

		if (passwordVerified == true)
		{
			//string roles = "Manager" + "|" + "Administrator";
			string roles = "JobSeeker";

			// Create the authentication ticket
			FormsAuthenticationTicket authTicket = new
				FormsAuthenticationTicket(1,  // version
				uname,      // user name
				DateTime.Now,	// creation
				DateTime.Now.AddMinutes(60),// Expiration
				false,	// Persistent
				roles	// User data
										 );

			string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

			HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
			page.Response.Cookies.Add(authCookie);

			// Update login date to now
			int userID = AccountDB.GetUserIDByUsername(uname);
			AccountDB.UpdateLoginDate(userID, DateTime.Now);

			return true;
		}
		else
		{
			return false;
		}
	}

public static bool CheckPassword(string username, string password)
{
bool passwordMatch = false;
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
SqlCommand cmd = new SqlCommand("CheckPassword", conn);
cmd.CommandType = CommandType.StoredProcedure;

		SqlParameter sqlParam = cmd.Parameters.Add("@userName", SqlDbType.VarChar, 255);
		sqlParam.Value = username;
		try
		{
			conn.Open();
			**SqlDataReader reader = cmd.ExecuteReader();
			reader.Read();**
			string dbPasswordHash = reader.GetString(0);
			string salt = reader.GetString(1);
			reader.Close();

			// Generat

0x3c0

What did you do wrong to deserve this? Did you destroy Sealand? On another note, the comments in your code block stretch the screen. Could you please fix them?

Between the idea And the reality Between the motion And the act Falls the Shadow

icewolf_snowfire

fixed the comments, sorry :) I think it must be bad karma, the whole site is like this (they were the lowest bidder). :(( It does function, and there are pieces that are seem good, but then I come across stuff like this and I really want to bang my head against the wall.

Lutoslaw

I am not familiar with db connection issues. Could you explain why is it bad, please?

icewolf_snowfire wrote:

SqlDataReader reader = cmd.ExecuteReader();
reader.Read();

Thanks.

Greetings - Jacek

supercat9

I'm not sure what's worse, that a professional development company has people who think this is how you use exceptions, or that my company actually paid money for this code Unsure I love the way they put database errors in the message to the user, and identify which they got wrong, the username or the password.Mad In many situations, it's entirely reasonable to distinguish a bad username from a bad password. User names are generally not secure, and legitimate users may not always remember which variation of their username they used at a particular site. Having a login routine throw an exception for user-not-found is not the best, but if a custom exception were used for that purpose, it wouldn't be totally horrible. The only really horrible thing I see is the munging of the exception message. BTW, one feature I'd like to see on a web site would be an option for users to specify a string that should be displayed on an unsuccessful login attempt, with the instruction that the string should contain something recognizable, but should not contain any security-related information. That would allow someone who mistakenly tries to log in with someone else's username to immediately realize their mistake.

icewolf_snowfire

when you use a SqlDataReader, you always have to check if it actually contains any data with reader.HasRows if it doesn't have data, like in this case if the username is not in the database, it throws an InvalidOperationException "Invalid attempt to read when no data is present" what's happening is the person who wrote this, didn't understand what was causing the exception, so he just handled in with a try catch, rather than fixing the actual problem.

Lutoslaw

I get it. It seems to be another case of an "exceptional coding". Moreover, it rethrows the exception so the overlaying method will get a plain InvalidOperationException with no clue what is going on, as far as I understand the throw; syntax. Terrifying. :doh:

Greetings - Jacek

leppie

icewolf_snowfire wrote:

reader.HasRows

Wouldn't if (reader.Read()) { ... } be ok too?

xacc.ide
IronScheme - 1.0 beta 3 - out now!
((lambda (x) `((lambda (x) ,x) ',x)) '`((lambda (x) ,x) ',x))

Russell Jones

It would also be nice if sites told you what the rules for passwords were so that you knew which passwords you were likely to have used on a given site. Often I've had to try to create a new account to find out what the rules are for a site so I can login again. Life was so much easier before websites started getting themselves removed from BugMeNot!

Jammer 0

I've seen the exact same crap from a third party 'development company' my employer has recently stopped using. I ended up submitting report after report on how bad their code was ... finally got listened to and we promptly dumped them.

Jammer My Blog | Article(s)

PaPaSEK

I don't think these are the bad Idea or junk or crap etc. whatever you called it. It just the way of programming. And it the way the programmer want it to be. One Algorithm can be done in many way. So If you think you can write a better one, You should not shout into their face an say something Like "Your code is bad. I found this junk in your code. I am the best." Impressive Huh!? What you should do is give them a suggestion, Though it free :laugh:

supercat9

Russell Jones wrote:

It would also be nice if sites told you what the rules for passwords were so that you knew which passwords you were likely to have used on a given site. Often I've had to try to create a new account to find out what the rules are for a site so I can login again. Life was so much easier before websites started getting themselves removed from BugMeNot!

No kidding. If a site requires passwords to be precisely eight characters, how is it any less secure to remind people of that at the login screen than after they create a new account? (Of course, requiring that passwords be exactly eight characters seems a dumb design anyway--even if the system only had space to store eight bytes, and policy factors dictated an eight-character minimum, the system should easily be able to hash a password of arbitrary length into an eight-byte digest or--failing that--just take the first eight bytes of the password and ignore the rest).

icewolf_snowfire

you're right it would, I didn't realize that was there. (and neither did they) it would be less lines of code, so slightly more efficient?

Tristan Rhodes

Well... you can lead a horse to water...

------------------------------- Carrier Bags - 21st Century Tumbleweed.

MarkB777

I've always used while (reader.Read()) { ... } which does the trick.

Mark Brock "We're definitely not going to make a G or a PG version of this. It's not PillowfightCraft." -- Chris Metzen Click here to view my blog

Lutoslaw

icewolf_snowfire wrote:

it would be less lines of code, so slightly more efficient?

lol.

Greetings - Jacek

Vozzie2

And remind him he was drinking poison...

It feels good to learn and achieve