using System;

using System.Data;

using System.Configuration;

using System.Collections;

using System.Web;

using System.Web.Security;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.WebControls.WebParts;

using System.Web.UI.HtmlControls;

using System.Data.SqlClient;

public partial class SingleSignOn : System.Web.UI.Page

{

    protected void Page_Load(object sender, EventArgs e)

    {

        string username = Request.QueryString["username"].ToString();

        string password = Request.QueryString["password"].ToString();

        if (ISAuthendicated(username, password))

        {

            lblStatus.Text = "Authendication Success";

            FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1, username, DateTime.Now, DateTime.Now.AddYears(1), true, "");

            HttpCookie cookie = new HttpCookie(".SingleSignOn");

            cookie.Value = FormsAuthentication.Encrypt(fat);

            cookie.Expires = fat.Expiration;

            HttpContext.Current.Response.Cookies.Add(cookie);

        }

        else

        {

            hlLoggedin.Visible = false;

            lblStatus.Text = "Authendication Failed";

        }

        //Reset the password

        //Even a failed attempt will cause a new password to be created

        //A hacker would be chasing a moving target

        DeletePassword(username);

    }

    private bool ISAuthendicated(string username, string password)

    {

        string tmpPassword = "";

        string strSQL = "Select password from SingleSignOnUsers where [username] = @username";

        SqlCommand cmd = new SqlCommand(strSQL, new SqlConnection(GetConnectionString()));

        cmd.CommandType = CommandType.Text;

        cmd.Parameters.Add(new SqlParameter("username", username));

        cmd.Connection.Open();

        SqlDataReader dr = cmd.ExecuteReader(CommandBehavior.CloseConnection);

        while (dr.Read())

        {

            tmpPassword = Convert.ToString(dr["password"]);

        }

        dr.Close();

        return (tmpPassword == password & password != "");

    }

    private void DeletePassword(String username)

    {

        Random rnd = new Random();

        string tmpPassword = username + rnd.Next(1000, 99999).ToString();

        string strSQL = "Update SingleSignOnUsers set password = @password where username = @username";

        SqlCommand cmd = new SqlCommand(strSQL, new SqlConnection(GetConnectionString()));

        cmd.CommandType = CommandType.Text;

        cmd.Parameters.Add(new SqlParameter("@password", tmpPassword));

        cmd.Parameters.Add(new SqlParameter("@username", username));

        cmd.Connection.Open();

        cmd.ExecuteNonQuery();

        cmd.Connection.Close();

    }

    private static string GetConnectionString()

    {

        return ConfigurationManager.ConnectionStrings["SingleSignOnDB"].ConnectionString;

    }

}