ASP.Net MVC–Simple Application Security using Password Hashing before storing it to Database

 

Of late, I got this random requirement into my mind over this weekend. I found it interesting, and started coding immediately. So the main purpose of this article is to demonstrate the concept of how to store passwords on the server side in a DB with encryption. Encrypting/Hashing passwords increases reliability and trustworthiness from customers, especially in security terms.

IMP Note –

In the recent past, I was working on clientside technologies in my day to day work. It made my fingers bit shiver when I started to write the MVC code. Nevertheless, I am glad to be back to ASP.Net world. Its my base. So the coding which you will find in this articles is the basic one, not a fancy stuff. Kindly absorb the key points, but not the coding practices. and remember it’s a quick code.

Kay Points to be Remembered for this articles –

  1. I used Entity Framework DataModel as the Model Classes for the MVC project.
  2. MVC 2 has been used all along the application.
  3. I never used Membership Provider in the application for Authorization and Authentication. Instead I used a basic Sql tables as the backend. But I would suggest my readers to use Membership Provider in MVC, which makes life easier and also it comes with more inbuilt security.
  4. Some Action Redirects and Validations are made in Brut Force manner, which I would suggest to re-map with much more better classes.
  5. A Products table is created in the Sql Database just to give demo for secured data (I will explain about the business requirement later in the article).
  6. I trimmed the complete default application of MVC completely and customized it accordingly.

Description of Requirement –

The intended application got some secured products in the Sql DB (here the table is Products). Users can login to the DB and can only retrieve products thorough MVC Application. So User first needs to Register to the application, then he can login to the application to retrieve the secured information of the products.

The main attention of the complete process flow is “Registration”, especially Password field. Storing Password as a string into DB is considered as not a good practice, so first we generate a Password Salt using Cryptography, then we use the original Password String along with Password Salt to hash it into a more secured format using a Hashing algorithm. and finally it is stored in the Users table of Sql DB.

While Authenticating User, we get the Password String from User login, then check the DB for Username, get the User Entity from the DB, fetch the Password Salt associated with the User, Combine the Password string and Password Salt to generate the Password Hash, then finally cross check the generated Hash with that of the DB version. If both matches, Authenticate the user or else notify him as Invalid Login.

 

NOTE:- For this article I decided to go with only High Level Presentation of the Solution of the project ( I am skipping for time being my original style of explaining in detailed). Anyways, I am going to provide the complete code as ZIP file for my readers.

DOWNLOAD PROJECT ZIP FILE

  1. Entity Framework ConnectionString in the Web.Config file needs to be changed accordingly. The Database script can be downloaded from HERE. So create the database first and then generate the entity model accordingly. For more details on how to create Entity Model for DB, please visit – http://www.intstrings.com/ramivemula/c/entity-framework-creating-model-from-existing-database-and-using-it-in-sample-project-video-tutorial-1/
  2. After creating the DB and Entity model, build the project. After the successful build run the app.

And now goes the Demo – After Demo I will talk about the High Level Architecture.

Unable to display content. Adobe Flash is required.

 

Database Data –

PasswordSaltDB

 

High Level Architecture –

PasswordSaltSolution

 

Code For Password Salt Generation (in LoginController.cs) –

        private static string CreateSalt()
        {
            RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
            byte[] byteArr = new byte[32];
            rng.GetBytes(byteArr);

            return Convert.ToBase64String(byteArr);
        }

 

Code for creating Password Hash (in LoginController.cs) –

        private static string CreatePasswordHash(string password, string salt)
        {
            string passwrodSalt = String.Concat(password, salt);
            string hashedPwd = FormsAuthentication.HashPasswordForStoringInConfigFile(passwrodSalt, "sha1");
            return hashedPwd;
        }

The remaining part of the code is pretty simple one. One can easily understand the code with a simple debugging. Also I have used simple session variable to check the login status of the user, so When a user login we store his Username in the Session, and when he logs out we empty the session variable. This can be achieved in much more better way through forms authentication. But due to time conflict, I decided to go with quick coding.

NOTE -

In case of any difficulty in understanding the flow of code, please feel free to leave a comment to me. I will address it as soon as possible.

Next time, I will come back with more consolidated and stick to point concepts in MVC Framework. Till then enjoy coding…!!!

You may also like...

One Pingback/Trackback

    03 September 2011 at 6:09am
    Excellent,... I agree with your writtening.Resources like the one you ...
  • house security systems
  • hajan

    Simple and nice ;)

  • sanjay

    Nice Artical…….
    Very Helpful……
    Thanks……

  • ASP Ninja

    Nice very helpful

  • dragular

    Very Nice

  • Pingback: house security systems()

  • Sandeep Rao

    code is nice, but while debugging, i came across a, what i say security issue…the password typed is posted as Plain text…i.e password over the channel comes to server as plain text…and browser memory may store the same…

    please enlighten me, if m wrong.

  • Srinivas Alwala

    Hi Ravi,

    Recently, I posted my queries related to this topic.

    Pls reply to my queries at your earliest.

    I can be reached at my email address: srinivas0906@gmail.com
    Skype Id: srinivas0906

    Regards,
    Srinivas Alwala
    Cell: 9869155243

  • pavankumar

    i am the beginner so how can i create a simple login page and it will be checking through the database.

    @Pavan – Check out this tutorial – http://www.dotnetfunda.com/articles/article808-how-to-write-a-simple-login-page-in-aspnet.aspx
    Thanks,

  • pavankumar

    how can i write this in mvc2 model view controller

  • pavankumar

    B M4 2

    @Pavan – I never got you?

  • RamiVemula

    @Pavan – Try to google out.