Hi,

I'm using Visual Studio.Net to create a password-protected webpage. I created a simple SQL Server database named "web" with a table named "users" containing the fields "username" and "password". I created the webform with textboxes for the usernames and passwords.

When the user submits their username and password, I want to first check the validity of the username against the database. If it is valid, then I want to check the validity of the password. If the username and password are a valid combination, I want to redirect the user. If either username and/or password are not valid, I want to post the appropriate messages.

The application is not working properly, although it compiles without any errors. When I supply known username and password combinations, and hit the login button, the password field clears and I cannot get past the login page. Here is the code so far:

HTML

<%@ Page language="c#" Codebehind="login.aspx.cs" AutoEventWireup="false" Inherits="bridgeport.login" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>login</title>
<meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
<meta content="C#" name="CODE_LANGUAGE">
<meta content="JavaScript" name="vs_defaultClientScript">
<meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema">
<LINK href="../bridgeport/main/main.css" type="text/css" rel="stylesheet">
<LINK href="../bridgeport/login/login.css" type="text/css" rel="stylesheet">
</HEAD>
<body>
<div class="FormPosition">
<form id="Form1" method="post" runat="server">
Username
<br>
<asp:textbox id="txtUsername" runat="server"></asp:textbox>&nbsp;&nbsp;
<asp:requiredfieldvalidator id="UsernameText" runat="server" ControlToValidate="txtUsername" ErrorMessage="Username field can't be empty!"
ForeColor="#0000C0" Font-Names="Verdana" Font-Size="9pt" Display="Dynamic"></asp:requiredfieldvalidator><br>
<br>
Password
<br>
<asp:textbox id="txtPassword" runat="server" TextMode="Password"></asp:textbox>&nbsp;&nbsp;
<asp:requiredfieldvalidator id="PassWordText" runat="server" ControlToValidate="txtPassword" ErrorMessage="Password field can't be empty!"
Display="Dynamic" ForeColor="#0000C0" Font-Names="Verdana" Font-Size="9pt"></asp:requiredfieldvalidator><br>
<br>
<asp:Button id="btnLogin" runat="server" Text="Login"></asp:Button>&nbsp;&nbsp;&nbsp;&nbsp;
<asp:label id="lblLoginMsg" runat="server" ForeColor="#FF8000" Font-Names="Verdana" Font-Size="9pt">Label</asp:label>
</form>
</div>
</body>


Codebehind

using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;

using System.Web.Security;
using System.Data.SqlClient;
using System.Data.OleDb;



namespace bridgeport
{
public class login : System.Web.UI.Page
{
protected System.Web.UI.HtmlControls.HtmlForm Form1;
protected System.Web.UI.WebControls.TextBox txtPassword;
protected System.Web.UI.WebControls.RequiredFieldValidator RequiredFieldValidator2;
protected System.Web.UI.WebControls.Label lblLoginMsg;
protected System.Web.UI.WebControls.RequiredFieldValidator PassWordText;
protected System.Web.UI.WebControls.RequiredFieldValidator UsernameText;
protected System.Web.UI.WebControls.Button btnLogin;
protected System.Web.UI.WebControls.Button btnReset;
protected System.Web.UI.WebControls.TextBox txtUsername;

private void Page_Load(object sender, System.EventArgs e)
{
}


private void btnLogin_Click(object sender, System.EventArgs e)
{
if (Page.IsValid)
{
// Create and open connection to database containing the usernames and password
SqlConnection conn = new SqlConnection("data source=HOME;initial catalog=web;");
conn.Open();

// Create sqlCommand to select username and password from users table
SqlCommand cmd = new SqlCommand();
cmd = conn.CreateCommand();
cmd.CommandText = "SELECT username, password FROM users WHERE (username=@username) AND (password=@password)";

cmd.Parameters["username"].Value = txtUsername;
cmd.Parameters["password"].Value = txtPassword;

// Use a DataReader to check these values against the database
SqlDataReader dr = cmd.ExecuteReader();

// Search all records of the database
while (dr.Read())
{
if ( dr["username"].ToString() == txtUsername.Text )
{
// username okay, now check password
if ( dr["password"].ToString() == txtPassword.Text )
{
// password okay, redirect user
// FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, false);
// string returnUrl = Request.QueryString["sitemanager.aspx"];
Response.Redirect("sitemanager.aspx");
}
else
{
lblLoginMsg.Text = "Invalid password";
}
}
else
{
lblLoginMsg.Text = "Invalid username";
}
}
// close connections
dr.Close();
//conn.Close();
}
}
}
}


Config

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

<system.web>

<authentication mode="Forms">
<forms name="Bridgeport" loginUrl="login.aspx" protection="All" timeout="60" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

</system.web>

</configuration>


Any ideas on what I'm missing?

Thanks,
petela