Authenticate the Valid User Via User id and MD5 Hashed Password

Rahul Bansal
Aug 27, 2014
18.5k
0
1
Article

Introduction

This article shows how to validate the user through the user id and hashed password saved in the database.

For the demonstration, I will:

Get a table in the database that stores the login credentials of the user.
Create a website and add a MD5 conversion file of JavaScript.
Add a page to the website with 2 textboxes for User ID and Password and a save button.
Add a reference of the MD5 conversion file on the page and create a JavaScript function to convert the plain password to the hashed password.
Add the code on the page load for creating salt and send it the JavaScript function via attribute add of the save button and on a button click event to match the data.

Note: To understand more about the first point go to my previous article "Generate the Client-side Hash Via MD5 Algorithm and Saving to Database (http://www.c-sharpcorner.com/UploadFile/a20beb/generate-the-client-side-hash-via-md5-algorithm-and-saving-t/).

Step 1

I have a table named "LoginTable" in the database, that stores the login credentials of the user.

Step 2

Create a website and add a MD5 conversion file of JavaScript.

Create an empty website named "LoginCredentials".
Add a new folder on the root and name it "Scripts". Add the "md5.js" into the "Scripts" folder.

Note: You can find the "md5.js" in the attached file.

Step 3

Add a page in the website with 2 textboxes for User ID and Password and Login button.

Add a page named "Login.aspx".
Add some controls on the page like:
- Text box for user id named "txtUserID".
- Text box for password named "txtpwd" with TextMode="Password".
- Button for login named "btn_login" with "onclick" event.

Step 4

Add a reference of the MD5 conversion file on the page and create a JavaScript function to convert the plain password to the hashed password.

Add the reference of the MD5 conversion file on the page as in the following:
1. <script src="Scripts/md5.js"></script>
Create a JavaScript function to convert the plain password to the hashed password in the "head" section of the page as in the following:
1. <script type="text/javascript">
3. function HashPwdwithSalt(salt) {
5. if (document.getElementById("txtpwd").value != "") {
7. document.getElementById("txtpwd").value = hex_md5(document.getElementById("txtpwd").value);
9. document.getElementById("txtpwd").value = hex_md5(document.getElementById("txtpwd").value + salt);
11. }
12. }
13. </script>
Note: "hex_md5" function exists in the "md5.js" file and here the conversion of the password into a hash has been done 2 times. First for converting the plain text to a hash then the hashed text to a hash with salt, just for safety purposes. If I do the single hash and match it on the server side then any hacker can get the hash password and easily enter it into the system.

Step 5

Add the code on the page load for creating the salt and send it the JavaScript function via attribute add of the save button and on the button click event to save the data.

Create a method that will get the size of the salt and return a salt after generation via the random number generator cryptography technique.
1. private string CreateSalt(int size)
2. {
3. RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
4. byte[] buff = new byte[size];
5. rng.GetBytes(buff);
6. return Convert.ToBase64String(buff);
7. }
Get the value in the salt variable and add the JavaScript function with salt parameter via attribute add of the save button.
1. protected void Page_Load(object sender, EventArgs e)
2. {
3. if (!IsPostBack)
4. {
5. //get the 5 digit salt
6. string salt = CreateSalt(5);
8. //Save the salt in session variable
9. Session["salt"] = salt.ToString();
11. //Add the JS function call to button with a parameter
12. btn_login.Attributes.Add("onclick", "return HashPwdwithSalt('" + salt.ToString() + "');");
13. }
14. }
Get the hash password from the database, if the user id is valid. Then hash it again with an already generated salt and match it with the filled in password by user to check the authenticity of the user on the login button click event.
1. protected void btn_login_Click(object sender, EventArgs e)
2. {
3. if (txtUserID.Text != "" && txtpwd.Text != "")
4. {
5. //Get the password from the database
6. using (SqlConnection connection = new SqlConnection())
7. {
8. connection.ConnectionString = ConfigurationManager.ConnectionStrings["constr"].ToString();
9. connection.Open();
10. SqlCommand cmd = new SqlCommand();
11. cmd.Connection = connection;
12. string commandText = "Select pwd from LoginTable where UserID='" + txtUserID.Text + "'";
13. cmd.CommandText = commandText;
14. cmd.CommandType = CommandType.Text;
15. object pwd = cmd.ExecuteScalar();
16. cmd.Dispose();
17. connection.Close();
19. // create the hash of the correct password with salt
20. string hashed_pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(pwd.ToString().ToLower() + Session["salt"].ToString(), "md5");
22. // macth the both passwords
23. if (hashed_pwd.ToLower().Equals(txtpwd.Text))
24. {
25. Response.Write("Valid User");// redirect to Home page
26. }
27. else
28. { Response.Write("Invalid User"); return; }
30. }
31. }
32. }

At Run Time

After running the page, check both of the conditions for authenticity for correct and incorrect password.

For Valid User: type the valid user id and password.

Note: Here the valid User ID is "Admin" and password is "abcd1234".

Result: Then the output will be a valid user.
For Invalid User: If I fill in the wrong password then it will give the different output like:

Here I have provided "123" as the password.

Result: Then the output will be "Invalid user".