C# Login Web Form

I can not figure out what I have done wrong here. I am trying to set up a basic login form for my application that authenticates with my SQL database. Here is the code:

public partial class Login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        lblError.Visible = false;
    }

    protected void btnLogin_Click(object sender, EventArgs e)
    {
        using (SqlConnection myConnection = new SqlConnection(ConfigurationManager.ConnectionStrings["DBConnection"].ConnectionString))
        {
            myConnection.Open();

            try
            {
                string userID = txtUser.Text;
                string passID = txtPassword.Text;

                SqlDataReader reader = null;
                SqlCommand cmd = new SqlCommand("SELECT UserName, Password From Users WHERE UserName = @user AND Password = @pass", myConnection);

                SqlParameter userParam = cmd.Parameters.Add("@user", SqlDbType.NVarChar, 50);
                SqlParameter passParam = cmd.Parameters.Add("@pass", SqlDbType.NVarChar, 50);

                userParam.Value = userID;
                passParam.Value = passID;

                reader = cmd.Execu开发者_JAVA百科teReader();

                while (reader.Read())
                {
                    if (reader["UserName"].ToString() == userID && reader["Password"].ToString() == passID)
                    {
                        Response.Redirect("TaskMonitor.aspx");
                    }

                    else
                    {
                        lblError.Visible = true;
                    }
                }
            }

            catch (Exception ex)
            {
                Console.WriteLine(ex.ToString());
            }

            myConnection.Close();
        }
    }
}

It does not do anything whether I enter a correct username and password or incorrect.

Because when username or password is invalid, no rows are returned and your code inside while doesn't get executed.

You can change it to:

SqlCommand cmd = new SqlCommand("SELECT COUNT(*) From Users WHERE UserName = @user AND Password = @pass", myConnection);
/* ... init parameters etc ... */
if((int)cmd.ExecuteScalar() == 0)
{
    // Access Denied
}
else
{
    // Access Granted
}

Also your page load hides the error label, might want to change it something like:

if (!IsPostBack) lblError.Visible = false;

You can also use ASP.NET's built in Form Authentication to handle the session:

FormsAuthentication.RedirectFromLoginPage(userID, false);

he mentions both situations

my suggession is : use a bit easier code:

myConnection.Open();
SqlCommand myCommand = new SqlCommand("Select * from myDT", myConnection);
myCommand.Parameters.AddWithValue("user", user.Text);  
SqlDataReader reader = myCommand.ExecuteReader();
if(reader.HasRows)  // i remember there is such a thing !
{

}

// myCommand.Parameters.Add("@user", user.Text); is false as i remember

Currently you catch every error that is raised and writes it to the console, but as you said before, you are developing a web application, so there is no console. So first replace the Console.writeLine statement with Response.WriteLine, or remove the complete try and catch statement instead.

Second, if the query doesnt return any results, the complete if else statements is skipped. Its easier to just check if the reader has any results: If it has, than you fire your redirect, otherwhise, display the label