Authenticate the Valid User Via User id and MD5 Hashed Password

This article describes how to authenticate the valid user via user id and MD5 hashed password,

Introduction

This article shows how to validate the user through the user id and hashed password saved in the database.

For the demonstration, I will:

  1. Get a table in the database that stores the login credentials of the user.
  2. Create a website and add a MD5 conversion file of JavaScript.
  3. Add a page to the website with 2 textboxes for User ID and Password and a save button.
  4. Add a reference of the MD5 conversion file on the page and create a JavaScript function to convert the plain password to the hashed password.
  5. Add the code on the page load for creating salt and send it the JavaScript function via attribute add of the save button and on a button click event to match the data.
Note: To understand more about the first point go to my previous article "Generate the Client-side Hash Via MD5 Algorithm and Saving to Database (http://www.c-sharpcorner.com/UploadFile/a20beb/generate-the-client-side-hash-via-md5-algorithm-and-saving-t/).

Step 1

I have a table named "LoginTable" in the database, that stores the login credentials of the user.

LoginTable

Step 2

Create a website and add a MD5 conversion file of JavaScript.
  1. Create an empty website named "LoginCredentials".

    asp.net empty website

  2. Add a new folder on the root and name it "Scripts". Add the "md5.js" into the "Scripts" folder.

    Note: You can find the "md5.js" in the attached file.

    JavaScript folder
Step 3

Add a page in the website with 2 textboxes for User ID and Password and Login button.
  1. Add a page named "Login.aspx".

    add web form in empty asp.net website

  2. Add some controls on the page like:
    • Text box for user id named "txtUserID".
    • Text box for password named "txtpwd" with TextMode="Password".
    • Button for login named "btn_login" with "onclick" event.

    add textBox in web page

Step 4

Add a reference of the MD5 conversion file on the page and create a JavaScript function to convert the plain password to the hashed password.

  1. Add the reference of the MD5 conversion file on the page as in the following:
    1. <script src="Scripts/md5.js"></script>  
  2. Create a JavaScript function to convert the plain password to the hashed password in the "head" section of the page as in the following:
    1. <script type="text/javascript">  
    2.   
    3. function HashPwdwithSalt(salt) {  
    4.   
    5. if (document.getElementById("txtpwd").value != "") {  
    6.   
    7. document.getElementById("txtpwd").value = hex_md5(document.getElementById("txtpwd").value);  
    8.   
    9. document.getElementById("txtpwd").value = hex_md5(document.getElementById("txtpwd").value + salt);  
    10.   
    11. }  
    12. }   
    13. </script>  
    Note: "hex_md5" function exists in the "md5.js" file and here the conversion of the password into a hash has been done 2 times. First for converting the plain text to a hash then the hashed text to a hash with salt, just for safety purposes. If I do the single hash and match it on the server side then any hacker can get the hash password and easily enter it into the system.

    use hex md5 function in JavaScript
Step 5

Add the code on the page load for creating the salt and send it the JavaScript function via attribute add of the save button and on the button click event to save the data.
  1. Create a method that will get the size of the salt and return a salt after generation via the random number generator cryptography technique.
    1. private string CreateSalt(int size)  
    2. {  
    3. RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();  
    4. byte[] buff = new byte[size];  
    5. rng.GetBytes(buff);  
    6. return Convert.ToBase64String(buff);  
    7. }  
  2. Get the value in the salt variable and add the JavaScript function with salt parameter via attribute add of the save button.
    1. protected void Page_Load(object sender, EventArgs e)  
    2. {  
    3. if (!IsPostBack)  
    4. {  
    5. //get the 5 digit salt  
    6. string salt = CreateSalt(5);  
    7.   
    8. //Save the salt in session variable  
    9. Session["salt"] = salt.ToString();  
    10.   
    11. //Add the JS function call to button with a parameter
    12. btn_login.Attributes.Add("onclick""return HashPwdwithSalt('" + salt.ToString() + "');");   
    13. }  
    14. }  
  3. Get the hash password from the database, if the user id is valid. Then hash it again with an already generated salt and match it with the filled in password by user to check the authenticity of the user on the login button click event.
    1. protected void btn_login_Click(object sender, EventArgs e)  
    2. {  
    3. if (txtUserID.Text != "" && txtpwd.Text != "")  
    4. {  
    5. //Get the password from the database  
    6. using (SqlConnection connection = new SqlConnection())  
    7. {  
    8. connection.ConnectionString = ConfigurationManager.ConnectionStrings["constr"].ToString();  
    9. connection.Open();  
    10. SqlCommand cmd = new SqlCommand();  
    11. cmd.Connection = connection;  
    12. string commandText = "Select pwd from LoginTable where UserID='" + txtUserID.Text + "'";  
    13. cmd.CommandText = commandText;  
    14. cmd.CommandType = CommandType.Text;  
    15. object pwd = cmd.ExecuteScalar();  
    16. cmd.Dispose();  
    17. connection.Close();  
    18.   
    19. // create the hash of the correct password with salt  
    20. string hashed_pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(pwd.ToString().ToLower() + Session["salt"].ToString(), "md5");  
    21.   
    22. // macth the both passwords  
    23. if (hashed_pwd.ToLower().Equals(txtpwd.Text))  
    24. {  
    25. Response.Write("Valid User");// redirect to Home page  
    26. }  
    27. else  
    28. { Response.Write("Invalid User"); return; }  
    29.   
    30. }  
    31. }  
    32. }  
    JavaScript code for login button

At Run Time

After running the page, check both of the conditions for authenticity for correct and incorrect password.

  1. For Valid User: type the valid user id and password.

    login for valid user

    Note: Here the valid User ID is "Admin" and password is "abcd1234".

    Result: Then the output will be a valid user.

    output for valid user

  2. For Invalid User: If I fill in the wrong password then it will give the different output like:

    Here I have provided "123" as the password.

    login for Invalid user

    Result: Then the output will be "Invalid user".

    output for Invalid user