Security Features and Testing - Pine Valley Furniture Portal

Problem 1: Necessary Security Features

The following are essential security features implemented in our semester project:

#	Security Feature	Description
1	Authentication	Restricts access based on user login using username/password.
2	Authorization	Controls access to different functionalities based on user roles (Admin, Customer).
3	Input Validation	Prevents SQL injection and XSS by sanitizing all user inputs using Regex and server-side checks.
4	Password Hashing	User passwords are hashed using SHA256 before storing in the database.
5	Session Timeout	Automatically logs out users after 15 minutes of inactivity.
6	HTTPS Enforcement	Ensures encrypted communication via SSL/TLS (assumed enforced on deployment).
7	SQL Parameterization	Prevents SQL injection by using parameterized queries in ADO.NET.

Problem 2: Code Implementation

Login (Authentication & Hashing)

string hashedPassword = ComputeSha256Hash(txtPassword.Text);
SqlCommand cmd = new SqlCommand("SELECT * FROM Users WHERE Username=@u AND PasswordHash=@p", conn);
cmd.Parameters.AddWithValue("@u", txtUsername.Text);
cmd.Parameters.AddWithValue("@p", hashedPassword);
                

Authorization Example

if (Session["Role"].ToString() != "Admin") {
    Response.Redirect("AccessDenied.aspx");
}
                

Input Validation

if (!Regex.IsMatch(txtEmail.Text, @"^[^@\s]+@[^@\s]+\.[^@\s]+$")) {
    lblError.Text = "Invalid email format.";
}
                

Session Timeout (Web.config)

<system.web>
  <sessionState timeout="15" />
</system.web>
                

SQL Parameterization

SqlCommand cmd = new SqlCommand("INSERT INTO Orders (CustomerId, ProductId) VALUES (@cid, @pid)", conn);
cmd.Parameters.AddWithValue("@cid", customerId);
cmd.Parameters.AddWithValue("@pid", productId);
                

Password Hashing Function (Utility)

public string ComputeSha256Hash(string rawData) {
    using (SHA256 sha256 = SHA256.Create()) {
        byte[] bytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(rawData));
        return BitConverter.ToString(bytes).Replace("-", "").ToLower();
    }
}
                

Live Demo: Click here to view the demo

Problem 3: Test Cases & Reports

The following table outlines the test cases for security features:

Feature	Test Case	Expected Result
Authentication	Login with valid/invalid credentials	Access granted or denied
Authorization	Try to access admin page as customer	Access Denied
Input Validation	Submit script tags in input	Input rejected
Password Hashing	Verify password in DB is hashed	No plain-text password
Session Timeout	Remain idle for 15+ minutes	Auto logout
HTTPS	Access using http://	Redirects to https://
SQL Injection	Enter ' OR '1'='1 in login	Login fails

Test Report PDF: View Report

Security Feature Code: View Code

Security Testing Code: View Test Code

Screenshot Demo: View Demo Images