0

I need to compare the username field and the password field with the one in database, my code does work but the problem is that the comparison is not case sensitive. below is part of my code, I know I must be missing something silly. any help will be appreciated, Thanks

var UserDetail = db.UserTbls.Where(x => x.UserName == UserModel.UserName &&
                                        x.Password == UserModel.Password).FirstOrDefault();

if (UserDetail == null)
{
    UserModel.loginErrorMessage = "Wrong Username or Password";
    return View("Login", UserModel);
}
else 
{
    Session["UserId"] = UserDetail.UserId;
    return RedirectToAction("Index", "Home");
}
Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
O.A.K
  • 39
  • 9
  • 2
    Under no circumstances should passwords be stored in a database as plain text. They need to be hashed as salted. I suggest you work through the tutorials on [Security, Authentication and Authorization](https://www.asp.net/mvc) –  May 04 '18 at 04:23
  • convert both the strings to upper or lower and then compare – Aswani Madhavan May 04 '18 at 04:25
  • Calling `ToLower()` or `ToUpper()` to do case insensitve comparison is a BAD Idea! These method calls creates a new copy! Instead one should consider,`String.Equals` method with `OrdinalIgnoreCase` or similar IngoreCase type enum value. – Shyju May 04 '18 at 04:28

3 Answers3

2

EF to SQL Server will perform string comparisons case-insensitive. To perform a case-sensitive check like you describe:

var users = var UserDetail = db.UserTbls.Where(x => x.UserName == UserModel.UserName).ToList();
var matchingUser = users.SingleOrDefault(x => x.Password == password);

The .ToList() will mean the next expression will be evaluated against Objects, returning all user records with that name. If user names are unique then this should be a SingleOrDefault(). From there the == operation on the password will be case sensitive by default.

However, as mentioned by Stephen, Passwords should always be hashed with a salt and stored, where the HASHES are compared, not plain-text passwords.

I recommend reading up on SHA-1 hashes.

Steve Py
  • 26,149
  • 3
  • 25
  • 43
  • The SHA-1 hash algorithm is no longer secure. https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/ – Travis J May 05 '18 at 07:36
  • SHA-1 and even MD5 are functional for password hashes though they should not be relied on solely for securing an application or site login. Sites for example should include a reCAPTCHA as well as detect & lock accounts after n number of failed logins, plus a site should be recording IP addresses of failed logins to assist with setting up blacklists from DoS attacks. (i.e. denying access by locking guessed account names.) SHA-1-3 are not cryptographically secure for certificates. – Steve Py May 08 '18 at 06:54
0

string.Compare method has and overload which you can use for comparing the username and passwords.

As Stephen mentioned, you certainly need to work on implementing proper security measures.

danish
  • 5,550
  • 2
  • 25
  • 28
0

If you want to compare user names ignoring case, this is an option:

x.UserName.Equals(UserModel.UserName, StringComparison.OrdinalIgnoreCase)

If you want to compare user names case sensitive, this is an option:

x.UserName.Equals(UserModel.UserName, StringComparison.Ordinal)

Update:

For anyone coming to this post who see's my answer, I'd like to point to Steve Py's answer which I've upvoted. And, here is a nice related explanation.

(I figured that I might as well leave my answer here in case it's still helpful for people to see different approaches to comparing strings)

egnomerator
  • 985
  • 8
  • 15
  • 1
    **but the problem is that the comparison is not case sensitive**. – Shyju May 04 '18 at 04:30
  • i was confused by that statement, because the current implementation by the OP using `==` is case sensitive, right? I'll update my answer to include a case sensitive option as well – egnomerator May 04 '18 at 04:33
  • @egnomerator exactly, I know using == is case sensitive comparison, but when I was testing it allowed me to login if I typed "PASSWORD" or "password", but if for example I typed "any string" instead of "password" it will give me the error message – O.A.K May 05 '18 at 08:42
  • @O.A.K thank you for explaining. And, having come back to this post, I see that [Steve Py's](https://stackoverflow.com/users/423497/steve-py) answer may be the key. And, [here](https://stackoverflow.com/a/3843382/9533368) is a pretty nice further explanation. – egnomerator May 05 '18 at 16:18