在HTTP GET查询参数中传递用户名和密码 [英] Passing username and password in HTTP GET query parameters

问题描述

我正在为我的应用程序构建一个RESTful API，我希望它尽可能干净透明。

I'm building a RESTful API for my application and I would like to make it as clean and transparent as possible.

我需要创建一个身份验证端点和我最有意义的是构建它，以便用户可以通过以下方式进行身份验证：

I need to create an authentication endpoint and it makes most sense to me to build it so that users can authenticate in a following way:

GET https://example.com/
    auth?identity=<username_or_email>&password=<password>

正如我所说，在查询参数中使用HTTP GET方法传递用户auth数据似乎非常干净我。

As I said, passing the user auth data using HTTP GET method in query parameters just seems very clean to me.

但我想问你实际上有多安全。考虑到它将通过SSL / TLS加密，您认为转移这样的用户凭据是个好主意吗？

But I would like you to ask about how secure it actually is. Considering it will be encrypted through SSL/TLS, do you think it's a good idea to transfer user credentials like this?

推荐答案

As 显示名称 表示，这两种变体基本上都是纯文本（甚至使用base64编码）。所以你必须使用TLS或其他保护措施，如 HMAC

As Display Name said, both variants are basically plain text (even using base64 encoding). So you must use TLS or another protection like HMAC

但从另一方面来看，查询字符串在服务器/客户端通常如何处理URL方面不太安全。你可以阅读这个这里或此处。简而言之，您应该担心以下内容

But from other side, Query string is less secure in terms of how Server/Client works with URLs in general. You can read about this here or here. Briefly you should be worry about the following

• 网址存储在网络服务器日志中


• 网址是存储在浏览器历史记录中


• URL在Referrer标头中传递

这篇关于在HTTP GET查询参数中传递用户名和密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！