从客户端到服务器发送用户名和密码的正确方法 [英] Proper way to send username and password from client to server

问题描述

这个问题不是针对特定语言的。 我很好奇如何正确地将用户名和密码从网站登录表单发送到服务器。

This question is not language specific. I'm curious how to properly send username and password from a website login form to a server.

我的猜测是哈希密码，将用户名/密码放在POST正文中并通过 HTTPS 发送。什么是更好的方式？

My guess is to hash the password, put username/password in the POST body and send it over HTTPS. What's a better way?

为了更好的衡量标准，我会提到一种不太理想的方法：

For good measure I'll mention a less than ideal method:

http://www.somesite.com/login?un=myplaintextusername&pw=myplaintextpassword

推荐答案

重要的部分是你在POST体中传输表单数据（这样它不会缓存在任何地方，也不会存储在任何日志文件中）并使用HTTPS（这种方式） ，如果你有一个很好的SSL / TLS证书，没有人可以通过观察你的网络流量来嗅出密码）。如果你这样做，那么散列密码没有什么大的额外好处，至少在传输过程中没有。

The important parts are that you transmit the form data in the POST body (that way it's not cached anywhere, nor normally stored in any logfiles) and use HTTPS (that way, if you have a good SSL/TLS certificate, nobody can sniff out the password from observing your network traffic). If you do that, there is no big extra benefit in hashing the password, at least not during the transmission.

为什么人们会谈论散列密码呢？因为通常您不希望以明文形式将用户密码存储在服务器端数据库中（否则受损服务器的影响甚至会比其他情况更糟）。相反，您通常存储盐渍/哈希表单，然后将相同的salt / hash应用于通过表单数据接收的密码，以便您可以比较两者。

Why do people talk about hashing passwords, then? Because normally you don't want to store the user's password in plaintext form in your server-side database (otherwise the impact of a compromised server is even worse than it would be otherwise). Instead, you usually store a salted/hashed form, and then apply the same salt/hash to the password received via the form data, so that you can compare the two.

有关盐析的更多信息，请参阅 http://en.wikipedia.org/wiki/Salt_(cryptography)（以及那里的链接）。

For more information on salting, see http://en.wikipedia.org/wiki/Salt_(cryptography) (and the links there).

这篇关于从客户端到服务器发送用户名和密码的正确方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！