edv/VERAG_Homepage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tokengenerierung funktioniert und Sicherheitsmechanismus mittels Cryptographic Funktion auf VERAG_Prog_Allgemein verschlüsseltem Token an der URL zum PW Resetten

Browse Source
This commit is contained in:
ja
2021-10-08 13:45:16 +02:00
parent 46edf79845
commit 36e6191b5a
5 changed files with 107 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
js/geturlofsite.js Normal file
View File

@@ -0,0 +1,9 @@
class geturlofsite {
var url = ""
function seturl() {
url = window.location.href;
}
function geturl() {
return new URL(url)
};
};

7
login/ChangePW.aspx
View File

@@ -120,6 +120,9 @@
</tr> </tr>
<tr style="color:#003680;height:36.67px;"> <tr style="color:#003680;height:36.67px;">
<td> <td>
<asp:ScriptManager ID="ScriptManager1" runat="server" />
<asp:Timer ID="tmr_PWToken" Interval="1000" runat="server" ClientIDMode="Predictable" OnTick="tmr_PWToken_Tick"></asp:Timer>
<asp:Button ID="btn_submitpw" runat="server" Text="Passwort wechseln" OnClick="btn_submitpw_Click"/> <asp:Button ID="btn_submitpw" runat="server" Text="Passwort wechseln" OnClick="btn_submitpw_Click"/>
</td> </td>
</tr> </tr>
@@ -128,5 +131,9 @@
</form> </form>
</div> </div>
</div> </div>
<script type="text/javascript" src="../js/geturlofsite.js">
</script>
</body> </body>
</html> </html>

49
login/ChangePW.aspx.vb
View File

@@ -3,14 +3,18 @@ Partial Class login_ChangePW
Inherits System.Web.UI.Page Inherits System.Web.UI.Page
Protected Sub Page_Load(sender As Object, e As EventArgs) Protected Sub Page_Load(sender As Object, e As EventArgs)
Dim url = Request.ServerVariables("URL")
Session.Add("urltochangepw", url)
btn_submitpw.Enabled = False If getDateoftoken(VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Request.QueryString("Par1"))) = True Then
txt_Pw_WH.Enabled = False txt_Pw_WH.Enabled = False
regexval_txt_Pw_WH.Enabled = False regexval_txt_Pw_WH.Enabled = False
If IsPostBack Then If IsPostBack Then
reqPasswtxt.Validate() reqPasswtxt.Validate()
reqPassw1txt.Validate() reqPassw1txt.Validate()
Session.Add("urltochangepw", Request.Url.AbsoluteUri) End If
Else
btn_submitpw.Enabled = False
End If End If
End Sub End Sub
@@ -23,6 +27,16 @@ Partial Class login_ChangePW
btn_submitpw.Enabled = False btn_submitpw.Enabled = False
End If End If
End Sub End Sub
Public Function geturlofpage() As String
Dim url = Request.Url.Authority + HttpContext.Current.Request.RawUrl.ToString()
If Request.ServerVariables("HTTPS") = "on" Then
url = "https://" + url
Else
url = "http://" + url
End If
Return url
End Function
Protected Sub btn_submitpw_Click(sender As Object, e As EventArgs) Protected Sub btn_submitpw_Click(sender As Object, e As EventArgs)
Dim tempstr As String = "" Dim tempstr As String = ""
@@ -47,7 +61,6 @@ Partial Class login_ChangePW
Msg = "PW nicht erfolgreich geändert!" Msg = "PW nicht erfolgreich geändert!"
Style = vbAbortRetryIgnore + vbCritical + vbDefaultButton1 Style = vbAbortRetryIgnore + vbCritical + vbDefaultButton1
Title = "Error" Title = "Error"
MsgBox(Msg, Style, Title) MsgBox(Msg, Style, Title)
If MsgBox(Msg, Style, Title).Retry Then If MsgBox(Msg, Style, Title).Retry Then
Response.Redirect(Request.RawUrl) Response.Redirect(Request.RawUrl)
@@ -73,4 +86,24 @@ Partial Class login_ChangePW
regexval_txt_Pw_WH.Enabled = False regexval_txt_Pw_WH.Enabled = False
End If End If
End Sub End Sub
Function getDateoftoken(tokenname As String) As Boolean
Dim data() As Byte = Convert.FromBase64String(tokenname)
Dim wenn As DateTime = DateTime.FromBinary(BitConverter.ToInt64(data, 0))
tmr_PWToken.Interval = 30000
tmr_PWToken.Enabled = True
If wenn < DateTime.UtcNow.AddMinutes(-3) Then
Return False
MsgBox("Token nicht gefunden oder zu alt!" + Environment.NewLine + "Bitte erneut Mail senden!")
Else
tmr_PWToken.Enabled = False
Return True
End If
End Function
Protected Sub tmr_PWToken_Tick(sender As Object, e As EventArgs)
btn_submitpw.Enabled = False
End Sub
End Class End Class

7
login/ForgotPW.aspx
View File

@@ -1,5 +1,5 @@
<%@ Page Language="VB" AutoEventWireup="false" CodeFile="ForgotPW.aspx.vb" Inherits="login_ForgotPW" %> <%@ Page Language="VB" AutoEventWireup="false" CodeFile="ForgotPW.aspx.vb" Inherits="login_ForgotPW" %>
<%@ Reference VirtualPath="~/login/ChangePW.aspx" %>
<!DOCTYPE html> <!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
@@ -115,8 +115,13 @@
<asp:Label ID="lblMessage" runat="server" /> <asp:Label ID="lblMessage" runat="server" />
</td></tr> </td></tr>
<tr style="color:#003680; height:30px;"><td> <tr style="color:#003680; height:30px;"><td>
<asp:Button ID="btn_Send" Text="Send" runat="server" OnClick="SendEmail" /> <asp:Button ID="btn_Send" Text="Send" runat="server" OnClick="SendEmail" />
</td></tr> </td></tr>
<tr><td>
<asp:ScriptManager ID="ScriptManager2" runat="server" />
<asp:Timer ID="Token_tmr" Enabled="false" Interval="1000" runat="server" OnTick="Token_tmr_Tick"></asp:Timer>
</td></tr>
</table> </table>
</center> </center>
</form> </form>

56
login/ForgotPW.aspx.vb
View File

@@ -7,6 +7,9 @@ Imports System.Data
Partial Class login_ForgotPW Partial Class login_ForgotPW
Inherits System.Web.UI.Page Inherits System.Web.UI.Page
Protected Sub Page_Load(sender As Object, e As EventArgs) Protected Sub Page_Load(sender As Object, e As EventArgs)
If txt_Username.Text = "" Then If txt_Username.Text = "" Then
Try Try
@@ -15,6 +18,7 @@ Partial Class login_ForgotPW
MsgBox(ex.Message) MsgBox(ex.Message)
End Try End Try
End If End If
End Sub End Sub
Protected Sub btn_Back_Click(sender As Object, e As EventArgs) Protected Sub btn_Back_Click(sender As Object, e As EventArgs)
Response.Redirect("login/login_FLEX.aspx") Response.Redirect("login/login_FLEX.aspx")
@@ -72,7 +76,7 @@ Partial Class login_ForgotPW
con.Close() con.Close()
End Using End Using
tokenname = genToken(username, password, email) tokenname = genToken(username, password, email)
If SendEmail(username, password, email) = True Then If SendEmail(username, password, email, tokenname) = True Then
'password = RandomString(New Random, 10) 'password = RandomString(New Random, 10)
If (getDateoftoken(tokenname) = True) Then If (getDateoftoken(tokenname) = True) Then
Dim msgboxstyle = vbDefaultButton1 + vbOK Dim msgboxstyle = vbDefaultButton1 + vbOK
@@ -86,7 +90,7 @@ Partial Class login_ForgotPW
MsgBox("Mail would be sent successfully!") MsgBox("Mail would be sent successfully!")
lblMessage.ForeColor = Color.Green lblMessage.ForeColor = Color.Green
lblMessage.Text = "Passwort wurde erfolgreich an die angegebene E-Mail Adresse gesendet." lblMessage.Text = "Passwort wurde erfolgreich an die angegebene E-Mail Adresse gesendet."
ElseIf SendEmail(username, password, email) = False Then ElseIf SendEmail(username, password, email, tokenname) = False Then
MsgBox("Mail would not be sent successfully!") MsgBox("Mail would not be sent successfully!")
lblMessage.ForeColor = Color.Red lblMessage.ForeColor = Color.Red
lblMessage.Text = "Diese E-Mail ist nicht in unserer Datenbank vorhanden." lblMessage.Text = "Diese E-Mail ist nicht in unserer Datenbank vorhanden."
@@ -104,31 +108,38 @@ Partial Class login_ForgotPW
Return sb.ToString() Return sb.ToString()
End Function End Function
Function SendEmail(username As String, password As String, email As String) As Boolean Function SendEmail(username As String, password As String, email As String, tokenname As String) As Boolean
Dim getdomianenvironment As String = "" Dim getdomianenvironment As String = ""
Dim pagename As String = ""
Dim ServPort As String = ""
If HttpContext.Current.Request.ServerVariables("SERVER_NAME") = "localhost" Then If HttpContext.Current.Request.ServerVariables("SERVER_NAME") = "localhost" Then
getdomianenvironment = HttpContext.Current.Request.ServerVariables("SERVER_NAME") getdomianenvironment = HttpContext.Current.Request.ServerVariables("SERVER_NAME")
ElseIf HttpContext.Current.Request.ServerVariables("SERVER_NAME") = "localhost" Then ServPort = Request.ServerVariables("SERVER_PORT")
pagename = Request.ServerVariables("SCRIPT_NAME")
ElseIf HttpContext.Current.Request.ServerVariables("SERVER_NAME") = Not "localhost" Then
getdomianenvironment = HttpContext.Current.Request.ServerVariables("SERVER_NAME") getdomianenvironment = HttpContext.Current.Request.ServerVariables("SERVER_NAME")
ServPort = Nothing
pagename = Request.ServerVariables("SCRIPT_NAME")
End If End If
'Dim pg As String = Request.ServerVariables("URL")
MsgBox("/" + ServPort + Request.ServerVariables("URL"))
Dim mailto As String = email Dim mailto As String = email
Dim Betreff As String = "Passwort reset" Dim Betreff As String = "Passwort reset"
Dim htmlbody = String.Format("Sehr geehrte/r {0},<br /><br /> Der Link zum Zurücksetzen des Passwortes lautet:<br /><br /><br />.<br />" + Environment.NewLine + "<a href=" + "" + getdomianenvironment + "/login/ChangePW.aspx" + ">This is default.aspx</a>" + Environment.NewLine + "<br />Mit freundlichen Grüßen,", username, password) Dim htmlbody = String.Format("Sehr geehrte/r {0},<br /><br /> Der Link zum Zurücksetzen des Passwortes lautet:<br /><br /><br />.<br />" + Environment.NewLine + "<a runat=" + "server" + " href=http://" + getdomianenvironment + ":" + ServPort + "/login/ChangePW.aspx?Par1=" + VERAG_PROG_ALLGEMEIN.cCryptography.Encrypt(tokenname) + ">Link</a>" + Environment.NewLine + "<br />Mit freundlichen Grüßen,", username, password)
Try Try
Dim tokennametemp = genToken(username, password, email) Dim tokennametemp = genToken(username, password, email)
'Dim Strtemp = Session.Keys.Item("urltochangepw") 'Dim Strtemp = Session.Keys.Item("urltochangepw")
If getDateoftoken(tokennametemp) = True Then If getDateoftoken(tokennametemp) = True Then
' Dim attachment As Attachment = New Attachment(File.OpenRead(excel), "Kundenliste.xlsx") ' Dim attachment As Attachment = New Attachment(File.OpenRead(excel), "Kundenliste.xlsx")
' Msg.Attachments.Add(attachment) ' Msg.Attachments.Add(attachment)
VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody) VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody)
MsgBox("SENT") MsgBox("SENT")
Return True Return True
Else Else
MsgBox("Error02: Mail not delivered!")
tokennametemp = genToken(username, password, email) tokennametemp = genToken(username, password, email)
VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody) VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody, tokenname)
Return False Return False
End If End If
Catch ex As Exception Catch ex As Exception
@@ -140,8 +151,9 @@ Partial Class login_ForgotPW
Function genToken(username As String, password As String, email As String) As String Function genToken(username As String, password As String, email As String) As String
Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary()) Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary())
Dim Key() As Byte = Guid.NewGuid().ToByteArray() Dim Key() As Byte = Guid.NewGuid().ToByteArray()
Dim token As String
Try Try
Dim token As String
token = Convert.ToBase64String(time.Concat(Key).ToArray()) token = Convert.ToBase64String(time.Concat(Key).ToArray())
Return token Return token
Catch Ex As Exception Catch Ex As Exception
@@ -152,21 +164,35 @@ Partial Class login_ForgotPW
MsgBox(Msg, Style, Title) MsgBox(Msg, Style, Title)
If MsgBox(Msg, Style, Title).Retry Then If MsgBox(Msg, Style, Title).Retry Then
If SendEmail(username, password, email) = True Then genToken(username, password, email)
MsgBox("SENT") Else
MsgBox("Tokengenerierung nicht erfolgreich." & vbCrLf & "In 5 Sekunden nochmal versuchen!")
Dim jetzt As DateTime = DateTime.UtcNow
Dim wenn As DateTime = DateTime.UtcNow.AddMinutes(-3)
Token_tmr.Interval = 3000
Token_tmr.Enabled = True
If jetzt < DateTime.UtcNow.AddSeconds(-5) Then
Return "NotYet"
Else Else
MsgBox("Error02: Mail not delivered!") Token_tmr.Enabled = False
token = Convert.ToBase64String(time.Concat(Key).ToArray())
Return token
End If End If
End If End If
End Try End Try
End Function End Function
Function getDateoftoken(tokenname As String) As Boolean Function getDateoftoken(tokenname As String) As Boolean
Dim data() As Byte = Convert.FromBase64String(tokenname) Dim data() As Byte = Convert.FromBase64String(tokenname)
Dim wenn As DateTime = DateTime.FromBinary(BitConverter.ToInt64(data, 0)) Dim wenn As DateTime = DateTime.FromBinary(BitConverter.ToInt64(data, 0))
If wenn < DateTime.UtcNow.AddHours(-24) Then If wenn < DateTime.UtcNow.AddMinutes(-30) Then
Return False Return False
MsgBox("Token nicht gefunden oder zu alt!" + Environment.NewLine + "Bitte erneut Mail senden!") MsgBox("Token nicht gefunden oder zu alt!" + Environment.NewLine + "Bitte erneut Mail senden!")
ElseIf tokenname = "NotYet" Then
Return False
Else Else
Return True Return True
End If End If
@@ -175,4 +201,8 @@ Partial Class login_ForgotPW
Protected Sub txtEmail_TextChanged(sender As Object, e As EventArgs) Protected Sub txtEmail_TextChanged(sender As Object, e As EventArgs)
regexval_txt_Email.Validate() regexval_txt_Email.Validate()
End Sub End Sub
Protected Sub Token_tmr_Tick(sender As Object, e As EventArgs)
btn_Send.Enabled = False
End Sub
End Class End Class