ASP.NET 2.0 Login Integration

Snitz™ Forums 2000
https://forum.snitz.com/forumTopic/Posts/63909?pagenum=1
05 November 2025, 14:23

Topic

the agony booth
ASP.NET 2.0 Login Integration
01 February 2007, 17:30


Hi folks,

This is not exactly a MOD, but something related to the forums that I think other people might find useful.
I'm adding a new application to my site that's written in ASP.NET 2.0. I'd like existing users of the forum to be able to log in to this new application with their forum usernames and passwords. Basically, I don't want my users to have to create two separate logins for the same site.

Ideally, the ASP.NET 2.0 code would use FormsAuthentication, and then authenticate against the password in the FORUM_MEMBERS table.
The problem I'm running into is the SHA256 encryption. The .NET code needs to encrypt the user-entered password with SHA256 to do the comparison. I'm trying to use the System.Security.Cryptography.SHA256Managed class to do this, but it's giving me a completely different result than the function in inc_sha256.asp.
Has anyone tried this? I would really like to avoid rewriting inc_sha256.asp in .NET, unless I absolutely have to.

<

 

Replies ...

the agony booth
01 February 2007, 17:47


Never mind. I found what I was looking for in this thread:
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=63690

So that this topic isn't a total waste, I'll post my code once I get it working.

<
HuwR
01 February 2007, 18:19


I have fully integrated the Snitz forums with .Net 2 authentication and membership/profiles (see the Snitz .Net threads) if you want the code, I can post it for you.<
the agony booth
01 February 2007, 18:31


Is that in the "ASP.NET Conversion" thread over in ASP.NET help? I figured it was somewhere in there, but it was a little tough to sift through all the posts to find it. If you can post the code here that would be great.
In the meantime, here's a little snippet I came up with. This actually might be all I need for my (very limited) requirements.
Login.aspx:

Code:

     Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click

        Dim oSqlConn As New SqlConnection(ConfigurationManager.ConnectionStrings("Forum").ConnectionString)

        Dim sSql As String = "select m.M_Password " & _
                                "from FORUM_MEMBERS m where m.M_Email = '" & UserEmail.Value & "'"

        Dim oSqlCmd As New SqlCommand(sSql, oSqlConn)
        oSqlConn.Open()

        Dim sPassword As String = oSqlCmd.ExecuteScalar()
        oSqlConn.Close()

        Dim sPassHash As String = SHA256Hash(UserPass.Value)
        If sPassHash.Equals(sPassword) Then
            FormsAuthentication.RedirectFromLoginPage(UserEmail.Value, PersistCookie.Checked)
        Else
            Msg.Text = "Invalid Credentials: Please try again"
        End If

    End Sub


    Public Shared Function SHA256Hash(ByVal Data As String) As String
        Dim sha As SHA256 = New SHA256Managed
        Dim hash As Byte() = sha.ComputeHash(Encoding.ASCII.GetBytes(Data))
        Dim stringBuilder As StringBuilder = New StringBuilder
        For Each b As Byte In hash
            stringBuilder.AppendFormat("{0:x2}", b)
        Next
        Return stringBuilder.ToString
    End Function


EDIT: Big prize to whoever spots the potential SQL injection security hole first! bigsmile

<
HuwR
01 February 2007, 19:42


first off, you should be using a paramatized query if you want to avoid SQL injection problems smile
this is the code used by the Snitz .Net membership provider to validate a user (may be a little buggy as I normally write in C# not VB, so had to convert it.
Code:

Public Overloads Overrides Function ValidateUser(ByVal username As String, ByVal password As String) As Boolean 
 Dim sql As String = "Select MEMBER_ID From FORUM_MEMBERS WHERE M_NAME=@Username AND M_PASSWORD=@Password" 
 ' Using 
 Dim conn As SqlConnection = New SqlConnection(connStr) 
 Try 
   ' Using 
   Dim cmd As SqlCommand = New SqlCommand(sql, conn) 
   Try 
     Dim paramName As SqlParameter = New SqlParameter 
     paramName.ParameterName = "@Username" 
     paramName.Value = username 
     cmd.Parameters.Add(paramName) 
     Dim paramPwd As SqlParameter = New SqlParameter 
     paramPwd.ParameterName = "@Password" 
     paramPwd.Value = SHA256Hash(password) 
     cmd.Parameters.Add(paramPwd) 
     Try 
       conn.Open 
       Dim reader As SqlDataReader = cmd.ExecuteReader 
       If reader.HasRows Then 
         Return True 
       Else 
         Return False 
       End If 
     Catch 
       Return False 
     End Try 
   Finally 
     CType(cmd, IDisposable).Dispose() 
   End Try 
 Finally 
   CType(conn, IDisposable).Dispose() 
 End Try 
End Function

Public Shared Function SHA256Hash(ByVal Data As String) As String 
 Dim sha As SHA256 = New SHA256Managed 
 Dim hash As Byte() = sha.ComputeHash(Encoding.ASCII.GetBytes(Data)) 
 Dim stringBuilder As StringBuilder = New StringBuilder 
 For Each b As Byte In hash 
   stringBuilder.AppendFormat("{0:x2}", b) 
 Next 
 Return stringBuilder.ToString 
End Function

or if you want the C# version
Code:

	public static string SHA256Hash(string Data)
	{
        SHA256 sha = new SHA256Managed();
        byte[] hash = sha.ComputeHash( Encoding.ASCII.GetBytes(Data) );

        StringBuilder stringBuilder = new StringBuilder();
        foreach( byte b in hash ) 
        {
            stringBuilder.AppendFormat("{0:x2}", b);
        }
        return stringBuilder.ToString();
    }

	public static bool ValidateUser(string username, string password)
	{
        string sql = "Select MEMBER_ID From FORUM_MEMBERS WHERE M_NAME=@Username AND M_PASSWORD=@Password";

        using (SqlConnection conn = new SqlConnection(connStr))
        {
            using (SqlCommand cmd = new SqlCommand(sql, conn))
            {
                SqlParameter paramName = new SqlParameter();
                paramName.ParameterName = "@Username";
                paramName.Value = username;
                cmd.Parameters.Add(paramName);
                SqlParameter paramPwd = new SqlParameter();
                paramPwd.ParameterName = "@Password";
                paramPwd.Value = SHA256Hash(password);
                cmd.Parameters.Add(paramPwd);

                try
                {
                    conn.Open();
                    SqlDataReader reader = cmd.ExecuteReader();
                    if (reader.HasRows)
                    {
                        return true;
                    }
                    else
                    {
                        return false;
                    }
                }
                catch                 {
                    //throw new Exception("Login Error");
                    return false;
                }
            }
        }
	}
<
puthen
02 October 2007, 18:11


Hi,
Did the agony booth get it to work?.If so can you post the code ? puthen<
© 2000-2021 Snitz™ Communications