Click here to Skip to main content
15,388,805 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I tried to hash password before saving it in the database. When I want to login, I compare username and password (hashed password) with the database and if there were any record, I return "valid" string to the client. I want to use this API in an Angular project. Is the following code secure for login system? Can a hacker inject headers to login without having user and password?

What I have tried:

[HttpPost]
        public async Task<IActionResult> Login([FromForm]string username, [FromForm] string password)
        {
            string Hpassword = String2Hash.GetHashString(password);
            var user = await _sqlServerContext.Users.FirstOrDefaultAsync(x => x.Username == username && x.Password == Hpassword);
            if (user != null)
            {
                HttpContext.Session.SetString("username", user.Username);
                HttpContext.Session.SetString("IsActive", user.IsActive.ToString());
                HttpContext.Session.SetString("IsLocked", user.IsLocked.ToString());
                HttpContext.Session.SetString("UserRole", user.UserRole);
                HttpContext.Session.SetString("CanAccessFiles", user.CanAccessFiles.ToString());
                HttpContext.Session.SetString("CanAccessMessages", user.CanAccessMessages.ToString());
                HttpContext.Session.SetString("CanAccessNotification", user.CanAccessNotifications.ToString());
                HttpContext.Session.SetString("CanAccessPmDatabase", user.CanAccessPmDatabase.ToString());


                return Ok("valid");
            }
            return NotFound("invalid");
        }
Posted
Updated 8-Jun-22 7:51am
v3

1 solution

That'll depend to a large extent on the hashing mechanism you used - and we have no idea what your String2Hash class is using, or what it does with the password you supply.

Even if you use a "Good hash" like SHA for example, unless you salt the password with information that is unique to the user (username and ID for example) then two or more users with the same password will generate the same hash. Anyone with access to your hashed values (and you'd be surprised how easy that is) can then work out several probable passwords very simply. For example, if you have 1000 users and 30% of the hashes are the identical, then there is a very good chance that they all use "password" to login!

So start by looking at the class and seeing what it does: security is not as simple as it looks!
   
Comments
Dave Kreskowiak 8-Jun-22 8:07am
   
I think he's asking if someone can inject their own Session variables to get past the login.
Code4Ever 8-Jun-22 13:50pm
   
Yes, this is important for me. I need to use session in my project but I'm not sure whether it's safe in the code I provided.
Dave Kreskowiak 8-Jun-22 15:29pm
   
There's a lot more to this than just your question. To directly answer your question, no because Session data is not sent in HTTP headers, but that doesn't mean your site or user data is "secure".

Read the section under "Session State": Session in ASP.NET Core | Microsoft Docs[^]
Code4Ever 8-Jun-22 13:56pm
   
Can a hacker inject http response headers to reproduce "valid" response on my API and login?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900