how not to check a login [modified]
-
this is one of the many gems I'm finding (and fixing) in some third party produced code:
protected void btnLogin_Click(Object s, EventArgs e)
{
bool loginOK = false;
try
{
loginOK = Account.LoginUser(Page, txtUserName.Text, txtPassword.Text);
}
catch (Exception ex)
{
string error = string.Empty;
if (ex.Message == "Invalid attempt to read when no data is present.")
{
error = "Username not found.";
}
else
{
error = ex.Message;
}
lblMessage.Text = error;
return;
}if (loginOK == true) { Response.Redirect("~/Default.aspx"); } else { **lblMessage.Text = "Password does not match.";** } }public static bool LoginUser(Page page, string uname, string pass)
{
bool passwordVerified = false;try { passwordVerified = AccountDB.CheckPassword(uname, pass); } catch (Exception ex) { throw; } if (passwordVerified == true) { //string roles = "Manager" + "|" + "Administrator"; string roles = "JobSeeker"; // Create the authentication ticket FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version uname, // user name DateTime.Now, // creation DateTime.Now.AddMinutes(60),// Expiration false, // Persistent roles // User data ); string encryptedTicket = FormsAuthentication.Encrypt(authTicket); HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); page.Response.Cookies.Add(authCookie); // Update login date to now int userID = AccountDB.GetUserIDByUsername(uname); AccountDB.UpdateLoginDate(userID, DateTime.Now); return true; } else { return false; } }public static bool CheckPassword(string username, string password)
{
bool passwordMatch = false;
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
SqlCommand cmd = new SqlCommand("CheckPassword", conn);
cmd.CommandType = CommandType.StoredProcedure;SqlParameter sqlParam = cmd.Parameters.Add("@userName", SqlDbType.VarChar, 255); sqlParam.Value = username; try { conn.Open(); **SqlDataReader reader = cmd.ExecuteReader(); reader.Read();** string dbPasswordHash = reader.GetString(0); string salt = reader.GetString(1); reader.Close(); // Generat -
this is one of the many gems I'm finding (and fixing) in some third party produced code:
protected void btnLogin_Click(Object s, EventArgs e)
{
bool loginOK = false;
try
{
loginOK = Account.LoginUser(Page, txtUserName.Text, txtPassword.Text);
}
catch (Exception ex)
{
string error = string.Empty;
if (ex.Message == "Invalid attempt to read when no data is present.")
{
error = "Username not found.";
}
else
{
error = ex.Message;
}
lblMessage.Text = error;
return;
}if (loginOK == true) { Response.Redirect("~/Default.aspx"); } else { **lblMessage.Text = "Password does not match.";** } }public static bool LoginUser(Page page, string uname, string pass)
{
bool passwordVerified = false;try { passwordVerified = AccountDB.CheckPassword(uname, pass); } catch (Exception ex) { throw; } if (passwordVerified == true) { //string roles = "Manager" + "|" + "Administrator"; string roles = "JobSeeker"; // Create the authentication ticket FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version uname, // user name DateTime.Now, // creation DateTime.Now.AddMinutes(60),// Expiration false, // Persistent roles // User data ); string encryptedTicket = FormsAuthentication.Encrypt(authTicket); HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); page.Response.Cookies.Add(authCookie); // Update login date to now int userID = AccountDB.GetUserIDByUsername(uname); AccountDB.UpdateLoginDate(userID, DateTime.Now); return true; } else { return false; } }public static bool CheckPassword(string username, string password)
{
bool passwordMatch = false;
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
SqlCommand cmd = new SqlCommand("CheckPassword", conn);
cmd.CommandType = CommandType.StoredProcedure;SqlParameter sqlParam = cmd.Parameters.Add("@userName", SqlDbType.VarChar, 255); sqlParam.Value = username; try { conn.Open(); **SqlDataReader reader = cmd.ExecuteReader(); reader.Read();** string dbPasswordHash = reader.GetString(0); string salt = reader.GetString(1); reader.Close(); // GeneratI'm not sure what's worse, that a professional development company has people who think this is how you use exceptions, or that my company actually paid money for this code Unsure I love the way they put database errors in the message to the user, and identify which they got wrong, the username or the password.Mad In many situations, it's entirely reasonable to distinguish a bad username from a bad password. User names are generally not secure, and legitimate users may not always remember which variation of their username they used at a particular site. Having a login routine throw an exception for user-not-found is not the best, but if a custom exception were used for that purpose, it wouldn't be totally horrible. The only really horrible thing I see is the munging of the exception message. BTW, one feature I'd like to see on a web site would be an option for users to specify a string that should be displayed on an unsuccessful login attempt, with the instruction that the string should contain something recognizable, but should not contain any security-related information. That would allow someone who mistakenly tries to log in with someone else's username to immediately realize their mistake.
-
I am not familiar with db connection issues. Could you explain why is it bad, please?
icewolf_snowfire wrote:
SqlDataReader reader = cmd.ExecuteReader();
reader.Read();Thanks.
Greetings - Jacek
when you use a SqlDataReader, you always have to check if it actually contains any data with
reader.HasRowsif it doesn't have data, like in this case if the username is not in the database, it throws an InvalidOperationException "Invalid attempt to read when no data is present" what's happening is the person who wrote this, didn't understand what was causing the exception, so he just handled in with a try catch, rather than fixing the actual problem. -
when you use a SqlDataReader, you always have to check if it actually contains any data with
reader.HasRowsif it doesn't have data, like in this case if the username is not in the database, it throws an InvalidOperationException "Invalid attempt to read when no data is present" what's happening is the person who wrote this, didn't understand what was causing the exception, so he just handled in with a try catch, rather than fixing the actual problem.I get it. It seems to be another case of an "exceptional coding". Moreover, it rethrows the exception so the overlaying method will get a plain InvalidOperationException with no clue what is going on, as far as I understand the
throw;syntax. Terrifying. :doh:Greetings - Jacek
-
when you use a SqlDataReader, you always have to check if it actually contains any data with
reader.HasRowsif it doesn't have data, like in this case if the username is not in the database, it throws an InvalidOperationException "Invalid attempt to read when no data is present" what's happening is the person who wrote this, didn't understand what was causing the exception, so he just handled in with a try catch, rather than fixing the actual problem. -
I'm not sure what's worse, that a professional development company has people who think this is how you use exceptions, or that my company actually paid money for this code Unsure I love the way they put database errors in the message to the user, and identify which they got wrong, the username or the password.Mad In many situations, it's entirely reasonable to distinguish a bad username from a bad password. User names are generally not secure, and legitimate users may not always remember which variation of their username they used at a particular site. Having a login routine throw an exception for user-not-found is not the best, but if a custom exception were used for that purpose, it wouldn't be totally horrible. The only really horrible thing I see is the munging of the exception message. BTW, one feature I'd like to see on a web site would be an option for users to specify a string that should be displayed on an unsuccessful login attempt, with the instruction that the string should contain something recognizable, but should not contain any security-related information. That would allow someone who mistakenly tries to log in with someone else's username to immediately realize their mistake.
It would also be nice if sites told you what the rules for passwords were so that you knew which passwords you were likely to have used on a given site. Often I've had to try to create a new account to find out what the rules are for a site so I can login again. Life was so much easier before websites started getting themselves removed from BugMeNot!
-
this is one of the many gems I'm finding (and fixing) in some third party produced code:
protected void btnLogin_Click(Object s, EventArgs e)
{
bool loginOK = false;
try
{
loginOK = Account.LoginUser(Page, txtUserName.Text, txtPassword.Text);
}
catch (Exception ex)
{
string error = string.Empty;
if (ex.Message == "Invalid attempt to read when no data is present.")
{
error = "Username not found.";
}
else
{
error = ex.Message;
}
lblMessage.Text = error;
return;
}if (loginOK == true) { Response.Redirect("~/Default.aspx"); } else { **lblMessage.Text = "Password does not match.";** } }public static bool LoginUser(Page page, string uname, string pass)
{
bool passwordVerified = false;try { passwordVerified = AccountDB.CheckPassword(uname, pass); } catch (Exception ex) { throw; } if (passwordVerified == true) { //string roles = "Manager" + "|" + "Administrator"; string roles = "JobSeeker"; // Create the authentication ticket FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version uname, // user name DateTime.Now, // creation DateTime.Now.AddMinutes(60),// Expiration false, // Persistent roles // User data ); string encryptedTicket = FormsAuthentication.Encrypt(authTicket); HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); page.Response.Cookies.Add(authCookie); // Update login date to now int userID = AccountDB.GetUserIDByUsername(uname); AccountDB.UpdateLoginDate(userID, DateTime.Now); return true; } else { return false; } }public static bool CheckPassword(string username, string password)
{
bool passwordMatch = false;
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
SqlCommand cmd = new SqlCommand("CheckPassword", conn);
cmd.CommandType = CommandType.StoredProcedure;SqlParameter sqlParam = cmd.Parameters.Add("@userName", SqlDbType.VarChar, 255); sqlParam.Value = username; try { conn.Open(); **SqlDataReader reader = cmd.ExecuteReader(); reader.Read();** string dbPasswordHash = reader.GetString(0); string salt = reader.GetString(1); reader.Close(); // GeneratI've seen the exact same crap from a third party 'development company' my employer has recently stopped using. I ended up submitting report after report on how bad their code was ... finally got listened to and we promptly dumped them.
Jammer My Blog | Article(s)
-
this is one of the many gems I'm finding (and fixing) in some third party produced code:
protected void btnLogin_Click(Object s, EventArgs e)
{
bool loginOK = false;
try
{
loginOK = Account.LoginUser(Page, txtUserName.Text, txtPassword.Text);
}
catch (Exception ex)
{
string error = string.Empty;
if (ex.Message == "Invalid attempt to read when no data is present.")
{
error = "Username not found.";
}
else
{
error = ex.Message;
}
lblMessage.Text = error;
return;
}if (loginOK == true) { Response.Redirect("~/Default.aspx"); } else { **lblMessage.Text = "Password does not match.";** } }public static bool LoginUser(Page page, string uname, string pass)
{
bool passwordVerified = false;try { passwordVerified = AccountDB.CheckPassword(uname, pass); } catch (Exception ex) { throw; } if (passwordVerified == true) { //string roles = "Manager" + "|" + "Administrator"; string roles = "JobSeeker"; // Create the authentication ticket FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version uname, // user name DateTime.Now, // creation DateTime.Now.AddMinutes(60),// Expiration false, // Persistent roles // User data ); string encryptedTicket = FormsAuthentication.Encrypt(authTicket); HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); page.Response.Cookies.Add(authCookie); // Update login date to now int userID = AccountDB.GetUserIDByUsername(uname); AccountDB.UpdateLoginDate(userID, DateTime.Now); return true; } else { return false; } }public static bool CheckPassword(string username, string password)
{
bool passwordMatch = false;
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
SqlCommand cmd = new SqlCommand("CheckPassword", conn);
cmd.CommandType = CommandType.StoredProcedure;SqlParameter sqlParam = cmd.Parameters.Add("@userName", SqlDbType.VarChar, 255); sqlParam.Value = username; try { conn.Open(); **SqlDataReader reader = cmd.ExecuteReader(); reader.Read();** string dbPasswordHash = reader.GetString(0); string salt = reader.GetString(1); reader.Close(); // GeneratI don't think these are the bad Idea or junk or crap etc. whatever you called it. It just the way of programming. And it the way the programmer want it to be. One Algorithm can be done in many way. So If you think you can write a better one, You should not shout into their face an say something Like "Your code is bad. I found this junk in your code. I am the best." Impressive Huh!? What you should do is give them a suggestion, Though it free :laugh:
-
It would also be nice if sites told you what the rules for passwords were so that you knew which passwords you were likely to have used on a given site. Often I've had to try to create a new account to find out what the rules are for a site so I can login again. Life was so much easier before websites started getting themselves removed from BugMeNot!
Russell Jones wrote:
It would also be nice if sites told you what the rules for passwords were so that you knew which passwords you were likely to have used on a given site. Often I've had to try to create a new account to find out what the rules are for a site so I can login again. Life was so much easier before websites started getting themselves removed from BugMeNot!
No kidding. If a site requires passwords to be precisely eight characters, how is it any less secure to remind people of that at the login screen than after they create a new account? (Of course, requiring that passwords be exactly eight characters seems a dumb design anyway--even if the system only had space to store eight bytes, and policy factors dictated an eight-character minimum, the system should easily be able to hash a password of arbitrary length into an eight-byte digest or--failing that--just take the first eight bytes of the password and ignore the rest).
-
icewolf_snowfire wrote:
reader.HasRows
Wouldn't
if (reader.Read()) { ... }be ok too?xacc.ide
IronScheme - 1.0 beta 3 - out now!
((lambda (x) `((lambda (x) ,x) ',x)) '`((lambda (x) ,x) ',x))you're right it would, I didn't realize that was there. (and neither did they) it would be less lines of code, so slightly more efficient?
-
I don't think these are the bad Idea or junk or crap etc. whatever you called it. It just the way of programming. And it the way the programmer want it to be. One Algorithm can be done in many way. So If you think you can write a better one, You should not shout into their face an say something Like "Your code is bad. I found this junk in your code. I am the best." Impressive Huh!? What you should do is give them a suggestion, Though it free :laugh:
Well... you can lead a horse to water...
------------------------------- Carrier Bags - 21st Century Tumbleweed.
-
icewolf_snowfire wrote:
reader.HasRows
Wouldn't
if (reader.Read()) { ... }be ok too?xacc.ide
IronScheme - 1.0 beta 3 - out now!
((lambda (x) `((lambda (x) ,x) ',x)) '`((lambda (x) ,x) ',x))I've always used
while (reader.Read()) { ... }which does the trick.Mark Brock "We're definitely not going to make a G or a PG version of this. It's not PillowfightCraft." -- Chris Metzen Click here to view my blog
-
you're right it would, I didn't realize that was there. (and neither did they) it would be less lines of code, so slightly more efficient?
-
Well... you can lead a horse to water...
------------------------------- Carrier Bags - 21st Century Tumbleweed.