0

I understand the way I'm doing the login function is non-secure. But since I'm a novice I don't want to go into too deep first and prefer to do in a most simple and basic way first.

So far what I've done, I have a Admin Model

public class Admin
{
    public string AdminUsername { get; set; }
    public string Password { get; set; }
}

I have 2 views namely AdminRegister.cshtml and AdminLogin.cshtml I have done the Register part, I know the password should not be stored in DB and password hashing instead. But as for now, I just want to complete the login function in a basic manner.

Their respective action method in controller are as follow

public ActionResult AdminRegister(Admin model)
    {
        using (var store = new DocumentStore
        {
            Url = "http://localhost:8080/",
            DefaultDatabase = "foodfurydb"
        })
        {
            store.Initialize();

            using (var session = store.OpenSession())
            {
                session.Store(model);
                session.SaveChanges();
            }
        }
        return RedirectToAction("Home");
    }

[HttpPost]
public ActionResult AdminLogin(Admin model)
    {
        Admin login = new Admin();
        using (var store = new DocumentStore
        {
            Url = "http://localhost:8080/",
            DefaultDatabase = "foodfurydb"
        })
        {
            store.Initialize();

            using (var session = store.OpenSession())
            {
                var adminInput = session
                    .Query<Admin>()
                    .Where(u => u.AdminUsername.Equals(model.AdminUsername) && u.Password.Equals(model.Password));

                if (adminInput != null)
                {

                }
            }
        }
        return View();
    }

For the login part, I assume that I should query to check whether the user with the particular username and password exist in DB or not. And then, I'm stuck and don't know how to compare the login input and the data from db! Appreciate if someone kind enough to lead me! Just a simple one though! Thank you very much.

Find out whether the user exists first

var count = session
               .Query<Admin>()
               .Where(u => u.AdminUsername == model.AdminUsername);

if (count > 0)
                {
                    return RedirectToAction("AddRestaurant");
                }
                else
                {
                    // user exist in db
                    return RedirectToAction("Home");
                }

I managed to find out whether the username in login field exist in DB or not. If yes it will login, else it will stay at home page. But till this stage, I haven't get an idea how to verify the password. Appreciate if anyone can guide me on this.

jenna_3108
  • 437
  • 1
  • 7
  • 20

1 Answers1

0

Let us avoid storing the password in plain text entirely.

We'll first start by loading the document for that user:

 var adminInput = session
     .Query<Admin>()
     .Where(u => u.AdminUsername == model.AdminUsername)
     .FirstOrDefault();

Note that I'm using FirstOrDefault to actually execute the query so we'll have the result.

Then, you check if the user exists, and if he does, you need to compare the number.

See this post on how to do this properly: How to hash a password

Community
  • 1
  • 1
Ayende Rahien
  • 22,925
  • 1
  • 36
  • 41