HTTP:为什么在get请求中发送用户名和密码错误? [英] HTTP: Why is wrong sending username and password in get request?
问题描述
Genaral练习是指当您登录或执行其他需要您的用户名和密码的操作时,您将其发送到帖子请求的正文中。另外,为了增加安全性,应该使用https。
Genaral practice is when you login, or do something else that requires your username and password, you send it in the body of post request. Also for added security https should be used.
在获取请求中,这些参数作为URL的一部分发送。但是在https中,正文和标题都是加密的,据我所知。
In get request these parameters are sent as a part of URL. But in https both body and headers are encrypted, as i understand.
所以从理论上讲,无论你使用https post还是get for send,你的数据都是安全的......在一种情况下,攻击者必须在你的标题和你的身体其他部分进行表示。
So in theory, whether you use https post or get for sending, your data are safe..., in one case attacker will have to decript your header and in other your body.
所以我的问题是,如果这一切都是真的,那么帖子怎么更安全呢? / p>
So my question is, if this is all true, how is post more secure?
推荐答案
除了其他人已经写过的内容还有一点,在webservers日志文件中,最常记录的是整个网址,所以任何有权访问日志文件的人都可以读取登录凭据。此外,如果页面上有一些流量分析工具(比如谷歌分析或其他),那么也会在那里报告调用网址 - >那些人也可以读取登录凭据(他们甚至可能在流量分析中出现) )。
Aside what others have already written there is an additional point, that in webservers logsfiles most often the entire url is being logged, so anyone with access to the logfiles can read the login credentials. Furthermore, if there is some traffic analysis tool on the page (say i.e. google analytics or whatever) then the calling url is being reported there as well -> also those people can read the login credentials (and they may even apears in the traffic analysis).
这篇关于HTTP:为什么在get请求中发送用户名和密码错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
