0

error is: The name 'Response' does not exist in the current context when i try to use Response.Cookies.Add(cookie);

I'm not sure what else should I need to include to get it work. I making app where user can login and when they login cookie is made so they dont need to login again when they reopen the app .

using MySql.Data.MySqlClient;
using System.Web;




namespace login
{

    public partial class Form1 : Form
    {
        MySqlConnection konekcija;
        string baza = "host=localhost;database=test;user=root;password=";
        MySqlCommand comm;
        MySqlDataReader reader;
        HttpCookie cookie;




        public Form1()
        {
            InitializeComponent();
        }



        private void Form1_Load(object sender, EventArgs e)
        {
            konekcija = new MySqlConnection(baza);
            comm = konekcija.CreateCommand();
            konekcija.Open();


        }



        private void button1_Click(object sender, EventArgs e)
        {

            string user = textBox2.Text.ToString();
            string pass = textBox1.Text.ToString();
            trylogin( user,  pass);

        }

        public void trylogin(string user, string pass)
        {

            if (checkBox1.Checked)
            {
                cookie = new HttpCookie("remember_me");
                cookie["Username"] = textBox2.Text;
                cookie["Expire"] = "365 Days";
                cookie.Expires = DateTime.Now.AddDays(365);
                Response.Cookies.Add(cookie);


            }

            comm.CommandText = "SELECT * FROM korisnici WHERE user='"+user+"' AND pass='"+pass+"'";

            reader = comm.ExecuteReader();
            if (reader.Read() == true)
            {

                reader.Dispose();
            }
            else 
            {
                reader.Dispose();
            }

        }

        private void Form1_FormClosing(object sender, FormClosingEventArgs e)
        {
            konekcija.Close();
        }
    }
}
Misko Mali
  • 617
  • 1
  • 7
  • 17
  • What you are doing isn't secure -- you can't trust cookie to tell you username like that. And you are setting the cookie before you even know if they provided a valid login... and you don't want to just put non-sanitized user input into your non-parameterized query... sorry I know that doesn't answer your question, but there are bigger issues here. – MikeSmithDev Nov 10 '12 at 22:34
  • You've got SQL injection in `trylogin`. Anyone can login without credentials. – usr Nov 10 '12 at 23:29

1 Answers1

0

Search the web for "remember me in c#", you'll find many discussions, i.e.:

"Remember Me" in ASP.Net

http://forums.asp.net/t/1303629.aspx

Anyway, you're attempting something really insecure with your code, watch out.

Regardless your "remember me" task, ok, you may want to compose your sql queries "on the fly", just remember to double your quotes with a replace before sending to sql engine:

user = user.Replace("'", "''"); //Assuming string values are not null here
password = password .Replace("'", "''");
comm.CommandText = "SELECT * FROM korisnici WHERE user='"+ user +"' AND pass='"+ password +"'";

I strongly encourage you learn using parameters (i.e. "... and user=@user"): they will give you more security and robustness to your code and doing so you don't need to use Replaces.

Another good practice is to extract only needed fields. If anyone gets access to this result someway and you have also put password field in clear text, this will happly shows it out. If you don't "select *", system maybe still unsecure, but at least you don't give anything out for free:

comm.CommandText = "SELECT user_name,login_level,anything_you_really_need FROM korisnici WHERE user=@user AND pass=@pass";
MySqlParameter pUser = new MySqlParameter("@user", user);
MySqlParameter pPass = new MySqlParameter("@pass", password);

comm.SelectCommand.Parameters.Add(pUser);
comm.SelectCommand.Parameters.Add(pPass);
Community
  • 1
  • 1
Squiffy
  • 175
  • 1
  • 4
  • 11