edv/VERAG_Homepage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tokengenerierung funktioniert und Sicherheitsmechanismus mittels Cryptographic Funktion auf VERAG_Prog_Allgemein verschlüsseltem Token an der URL zum PW Resetten

Browse Source
This commit is contained in:
ja
2021-10-08 13:45:16 +02:00
parent 46edf79845
commit 36e6191b5a
5 changed files with 107 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
js/geturlofsite.js Normal file
View File

@@ -0,0 +1,9 @@
class geturlofsite {
var url = ""
function seturl() {
url = window.location.href;
}
function geturl() {
return new URL(url)
};
};

7
login/ChangePW.aspx
View File

@@ -120,6 +120,9 @@
</tr>
<tr style="color:#003680;height:36.67px;">
<td>
<asp:ScriptManager ID="ScriptManager1" runat="server" />
<asp:Timer ID="tmr_PWToken" Interval="1000" runat="server" ClientIDMode="Predictable" OnTick="tmr_PWToken_Tick"></asp:Timer>
<asp:Button ID="btn_submitpw" runat="server" Text="Passwort wechseln" OnClick="btn_submitpw_Click"/>
</td>
</tr>
@@ -128,5 +131,9 @@
</form>
</div>
</div>
<script type="text/javascript" src="../js/geturlofsite.js">
</script>
</body>
</html>

49
login/ChangePW.aspx.vb
View File

@@ -3,14 +3,18 @@ Partial Class login_ChangePW
Inherits System.Web.UI.Page
Protected Sub Page_Load(sender As Object, e As EventArgs)
Dim url = Request.ServerVariables("URL")
Session.Add("urltochangepw", url)
btn_submitpw.Enabled = False
txt_Pw_WH.Enabled = False
regexval_txt_Pw_WH.Enabled = False
If IsPostBack Then
reqPasswtxt.Validate()
reqPassw1txt.Validate()
Session.Add("urltochangepw", Request.Url.AbsoluteUri)
If getDateoftoken(VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Request.QueryString("Par1"))) = True Then
txt_Pw_WH.Enabled = False
regexval_txt_Pw_WH.Enabled = False
If IsPostBack Then
reqPasswtxt.Validate()
reqPassw1txt.Validate()
End If
Else
btn_submitpw.Enabled = False
End If
End Sub
@@ -23,6 +27,16 @@ Partial Class login_ChangePW
btn_submitpw.Enabled = False
End If
End Sub
Public Function geturlofpage() As String
Dim url = Request.Url.Authority + HttpContext.Current.Request.RawUrl.ToString()
If Request.ServerVariables("HTTPS") = "on" Then
url = "https://" + url
Else
url = "http://" + url
End If
Return url
End Function
Protected Sub btn_submitpw_Click(sender As Object, e As EventArgs)
Dim tempstr As String = ""
@@ -47,7 +61,6 @@ Partial Class login_ChangePW
Msg = "PW nicht erfolgreich geändert!"
Style = vbAbortRetryIgnore + vbCritical + vbDefaultButton1
Title = "Error"
MsgBox(Msg, Style, Title)
If MsgBox(Msg, Style, Title).Retry Then
Response.Redirect(Request.RawUrl)
@@ -73,4 +86,24 @@ Partial Class login_ChangePW
regexval_txt_Pw_WH.Enabled = False
End If
End Sub
Function getDateoftoken(tokenname As String) As Boolean
Dim data() As Byte = Convert.FromBase64String(tokenname)
Dim wenn As DateTime = DateTime.FromBinary(BitConverter.ToInt64(data, 0))
tmr_PWToken.Interval = 30000
tmr_PWToken.Enabled = True
If wenn < DateTime.UtcNow.AddMinutes(-3) Then
Return False
MsgBox("Token nicht gefunden oder zu alt!" + Environment.NewLine + "Bitte erneut Mail senden!")
Else
tmr_PWToken.Enabled = False
Return True
End If
End Function
Protected Sub tmr_PWToken_Tick(sender As Object, e As EventArgs)
btn_submitpw.Enabled = False
End Sub
End Class

9
login/ForgotPW.aspx
View File

@@ -1,5 +1,5 @@
<%@ Page Language="VB" AutoEventWireup="false" CodeFile="ForgotPW.aspx.vb" Inherits="login_ForgotPW" %>
<%@ Reference VirtualPath="~/login/ChangePW.aspx" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
@@ -115,8 +115,13 @@
<asp:Label ID="lblMessage" runat="server" />
</td></tr>
<tr style="color:#003680; height:30px;"><td>
<asp:Button ID="btn_Send" Text="Send" runat="server" OnClick="SendEmail" />
</td></tr>
</td></tr>
<tr><td>
<asp:ScriptManager ID="ScriptManager2" runat="server" />
<asp:Timer ID="Token_tmr" Enabled="false" Interval="1000" runat="server" OnTick="Token_tmr_Tick"></asp:Timer>
</td></tr>
</table>
</center>
</form>

56
login/ForgotPW.aspx.vb
View File

@@ -7,6 +7,9 @@ Imports System.Data
Partial Class login_ForgotPW
Inherits System.Web.UI.Page
Protected Sub Page_Load(sender As Object, e As EventArgs)
If txt_Username.Text = "" Then
Try
@@ -15,6 +18,7 @@ Partial Class login_ForgotPW
MsgBox(ex.Message)
End Try
End If
End Sub
Protected Sub btn_Back_Click(sender As Object, e As EventArgs)
Response.Redirect("login/login_FLEX.aspx")
@@ -72,7 +76,7 @@ Partial Class login_ForgotPW
con.Close()
End Using
tokenname = genToken(username, password, email)
If SendEmail(username, password, email) = True Then
If SendEmail(username, password, email, tokenname) = True Then
'password = RandomString(New Random, 10)
If (getDateoftoken(tokenname) = True) Then
Dim msgboxstyle = vbDefaultButton1 + vbOK
@@ -86,7 +90,7 @@ Partial Class login_ForgotPW
MsgBox("Mail would be sent successfully!")
lblMessage.ForeColor = Color.Green
lblMessage.Text = "Passwort wurde erfolgreich an die angegebene E-Mail Adresse gesendet."
ElseIf SendEmail(username, password, email) = False Then
ElseIf SendEmail(username, password, email, tokenname) = False Then
MsgBox("Mail would not be sent successfully!")
lblMessage.ForeColor = Color.Red
lblMessage.Text = "Diese E-Mail ist nicht in unserer Datenbank vorhanden."
@@ -104,31 +108,38 @@ Partial Class login_ForgotPW
Return sb.ToString()
End Function
Function SendEmail(username As String, password As String, email As String) As Boolean
Function SendEmail(username As String, password As String, email As String, tokenname As String) As Boolean
Dim getdomianenvironment As String = ""
Dim pagename As String = ""
Dim ServPort As String = ""
If HttpContext.Current.Request.ServerVariables("SERVER_NAME") = "localhost" Then
getdomianenvironment = HttpContext.Current.Request.ServerVariables("SERVER_NAME")
ElseIf HttpContext.Current.Request.ServerVariables("SERVER_NAME") = "localhost" Then
ServPort = Request.ServerVariables("SERVER_PORT")
pagename = Request.ServerVariables("SCRIPT_NAME")
ElseIf HttpContext.Current.Request.ServerVariables("SERVER_NAME") = Not "localhost" Then
getdomianenvironment = HttpContext.Current.Request.ServerVariables("SERVER_NAME")
ServPort = Nothing
pagename = Request.ServerVariables("SCRIPT_NAME")
End If
'Dim pg As String = Request.ServerVariables("URL")
MsgBox("/" + ServPort + Request.ServerVariables("URL"))
Dim mailto As String = email
Dim Betreff As String = "Passwort reset"
Dim htmlbody = String.Format("Sehr geehrte/r {0},<br /><br /> Der Link zum Zurücksetzen des Passwortes lautet:<br /><br /><br />.<br />" + Environment.NewLine + "<a href=" + "" + getdomianenvironment + "/login/ChangePW.aspx" + ">This is default.aspx</a>" + Environment.NewLine + "<br />Mit freundlichen Grüßen,", username, password)
Dim htmlbody = String.Format("Sehr geehrte/r {0},<br /><br /> Der Link zum Zurücksetzen des Passwortes lautet:<br /><br /><br />.<br />" + Environment.NewLine + "<a runat=" + "server" + " href=http://" + getdomianenvironment + ":" + ServPort + "/login/ChangePW.aspx?Par1=" + VERAG_PROG_ALLGEMEIN.cCryptography.Encrypt(tokenname) + ">Link</a>" + Environment.NewLine + "<br />Mit freundlichen Grüßen,", username, password)
Try
Dim tokennametemp = genToken(username, password, email)
'Dim Strtemp = Session.Keys.Item("urltochangepw")
If getDateoftoken(tokennametemp) = True Then
' Dim attachment As Attachment = New Attachment(File.OpenRead(excel), "Kundenliste.xlsx")
' Msg.Attachments.Add(attachment)
VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody)
MsgBox("SENT")
Return True
Else
MsgBox("Error02: Mail not delivered!")
tokennametemp = genToken(username, password, email)
VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody)
VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody, tokenname)
Return False
End If
Catch ex As Exception
@@ -140,8 +151,9 @@ Partial Class login_ForgotPW
Function genToken(username As String, password As String, email As String) As String
Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary())
Dim Key() As Byte = Guid.NewGuid().ToByteArray()
Dim token As String
Try
Dim token As String
token = Convert.ToBase64String(time.Concat(Key).ToArray())
Return token
Catch Ex As Exception
@@ -152,21 +164,35 @@ Partial Class login_ForgotPW
MsgBox(Msg, Style, Title)
If MsgBox(Msg, Style, Title).Retry Then
If SendEmail(username, password, email) = True Then
MsgBox("SENT")
genToken(username, password, email)
Else
MsgBox("Tokengenerierung nicht erfolgreich." & vbCrLf & "In 5 Sekunden nochmal versuchen!")
Dim jetzt As DateTime = DateTime.UtcNow
Dim wenn As DateTime = DateTime.UtcNow.AddMinutes(-3)
Token_tmr.Interval = 3000
Token_tmr.Enabled = True
If jetzt < DateTime.UtcNow.AddSeconds(-5) Then
Return "NotYet"
Else
MsgBox("Error02: Mail not delivered!")
Token_tmr.Enabled = False
token = Convert.ToBase64String(time.Concat(Key).ToArray())
Return token
End If
End If
End Try
End Function
Function getDateoftoken(tokenname As String) As Boolean
Dim data() As Byte = Convert.FromBase64String(tokenname)
Dim wenn As DateTime = DateTime.FromBinary(BitConverter.ToInt64(data, 0))
If wenn < DateTime.UtcNow.AddHours(-24) Then
If wenn < DateTime.UtcNow.AddMinutes(-30) Then
Return False
MsgBox("Token nicht gefunden oder zu alt!" + Environment.NewLine + "Bitte erneut Mail senden!")
ElseIf tokenname = "NotYet" Then
Return False
Else
Return True
End If
@@ -175,4 +201,8 @@ Partial Class login_ForgotPW
Protected Sub txtEmail_TextChanged(sender As Object, e As EventArgs)
regexval_txt_Email.Validate()
End Sub
Protected Sub Token_tmr_Tick(sender As Object, e As EventArgs)
btn_Send.Enabled = False
End Sub
End Class