hi,
We are going auditing on the our software. So When we login fist time, it is create our own
cookie and after login our cookies is not change. So it is chance to hacking the our cookies
site. means he can paste our cookie which we have storing user name and password.
So our auditor tell us to change a cookies value after login.
But problem is that if we change cookies values then we can't access session values. Because of
our another page are checking session values for authotentication for user. No We want if our
cookies values ('KONKAN' is name of cookies/session) change it should not affected on our
session values..
here code:.
It is create cookies----
private void CreateCookie()
{
string encryptedTextKonkan;
//string encryptedTextAsp;
FormsAuthenticationTicket konkanTicket;
//FormsAuthenticationTicket aspTicket;
Session.Abandon();
konkanTicket = new FormsAuthenticationTicket(1, "konkan", DateTime.Now, DateTime.Now.AddSeconds(15), false, "");
//aspTicket = new FormsAuthenticationTicket(1, "asp", DateTime.Now, DateTime.Now.AddSeconds(15), false, "");
encryptedTextKonkan = FormsAuthentication.Encrypt(konkanTicket);
//encryptedTextAsp = FormsAuthentication.Encrypt(aspTicket);
if (encryptedTextKonkan.Trim().Length > 50)
{
encryptedTextKonkan = encryptedTextKonkan.Substring(0, 50);
}
//if (encryptedTextAsp.Trim().Length > 50)
//{
// encryptedTextAsp = encryptedTextAsp.Substring(0, 50);
//}
Response.Cookies.Add(new HttpCookie("KONKAN", encryptedTextKonkan.ToLower()));
//Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", encryptedTextAsp.ToLower()));
}
User access method
==================
private void ValidateUserCredentials()
{
DataTable source;
UserEntity userEntity;
UserLogic userLogic;
int blockedUserName = 0;
string pwdDecrypt = string.Empty;
try
{
userEntity = new UserEntity();
userLogic = new UserLogic();
userEntity.UserName = this.tbUsername.Text;
//if already user locked/block
blockedUserName = userLogic.SelectIsUserNameBloked(userEntity);
if (blockedUserName == 1)
{
//Give your message or what ever you want
string text = "\\n Kindly Contact System Administrator.";
ScriptManager.RegisterStartupScript(this, this.GetType(), "Msg", "alert('Your Account has been locked." + text + "');", true);
this.tbUsername.Text = string.Empty;
this.tbPassword.Text = string.Empty;
this.tbTest.Text = string.Empty;
this.tbUsername.Focus();
return;
}
//if user try login 3 times
source = userLogic.SelectUserMasterCredentials(userEntity);
//if Data Exists
if (this.tbUsername.Text != string.Empty && this.tbPassword.Text != string.Empty)
{
if (source.Rows.Count > 0)
{
pwdDecrypt = GM.DecryptStringAES(tbPassword.Text.Trim());
if (Convert.ToString(source.Rows[0]["USER_NAME"]) == this.tbUsername.Text.ToString() && GM.DecryptPassword(Convert.ToString(source.Rows[0]["PASSWORD"]), Convert.FromBase64String(source.Rows[0]["SALT"].ToString()), Convert.FromBase64String(source.Rows[0]["IV"].ToString())) == Convert.ToString(pwdDecrypt))
{
Session["CMS_USER_ID"] = Convert.ToString(source.Rows[0]["ID"]);
Session["PROFILE_ID"] = Convert.ToString(source.Rows[0]["PROFILE_ID"]);
Session["CMS_USER_NAME"] = Convert.ToString(source.Rows[0]["USER_NAME"]);
Session["PASSWORD"] = Convert.ToString(source.Rows[0]["PASSWORD"]);
if (this.tbPassword.Text.ToString().ToUpper() == "ALLIED007")
{
Response.Redirect("~/cms/ChangePassword.aspx", false);
}
else
{
Response.Redirect("~/cms/Home.aspx", false);
}
this.tbUsername.Text = string.Empty;
this.tbPassword.Text = string.Empty;
this.tbTest.Text = string.Empty;
}
else if (Convert.ToString(source.Rows[0]["USER_NAME"]) == this.tbUsername.Text.ToString() && GM.DecryptPassword(Convert.ToString(source.Rows[0]["PASSWORD"]), Convert.FromBase64String(source.Rows[0]["SALT"].ToString()), Convert.FromBase64String(source.Rows[0]["IV"].ToString())) != Convert.ToString(pwdDecrypt))
{
LoginAttempts++;
Session["Login"] = Convert.ToInt32(Session["Login"]) + LoginAttempts;
if (Convert.ToInt32(Session["Login"]) < 3)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "Msg", "alert('Invalid credentials. Please try again.');", true);
this.tbUsername.Text = string.Empty;
this.tbPassword.Text = string.Empty;
this.tbTest.Text = string.Empty;
this.tbUsername.Focus();
return;
}
else if (Convert.ToInt32(Session["Login"]) == 3)
{
//Give your message or what ever you want
string text = "\\n Kindly Contact System Administrator.";
ScriptManager.RegisterStartupScript(this, this.GetType(), "Msg", "alert('Your Account has been locked." + text + "');", true);
userLogic.UpdateUserNameBlock(userEntity);
this.tbUsername.Text = string.Empty;
this.tbPassword.Text = string.Empty;
this.tbTest.Text = string.Empty;
this.tbUsername.Focus();
LoginAttempts = 0;
//Session.Abandon();
return;
}
}
}
}
}
catch (Exception ex)
{
throw ex;
}
finally
{
source = null;
userLogic = null;
userEntity = null;
blockedUserName = 0;
LoginAttempts = 0;
pwdDecrypt = "";
}
}