如何在HTTP插入的https中运行我的应用程序? [英] how to run my application in https insted of http?

问题描述

表单目标操作:login.aspx

影响
如果攻击者可以拦截网络流量，则他/她可以窃取用户凭据.

要采取的行动
请参阅解决方法.
将所有重要的表单和页面移至HTTPS，并且不要通过HTTP提供服务.
补救措施
所有敏感数据应通过HTTPS而不是HTTP进行传输.表单应通过HTTPS提供.从登录过程开始接受用户输入的应用程序的所有方面都应仅通过HTTPS进行服务.


请帮助我如何在https中发送用户名和密码???????

Form target action: login.aspx

Impact
If an attacker can intercept network traffic he/she can steal users credentials.

Actions to Take
See the remedy for solution.
Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.
Remedy
All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input starting from the login process should only be served over HTTPS.


please help me how i can send my username and password in https???????

推荐答案

请参阅IIS论坛中的此链接.希望对您有帮助:
http://forums.iis.net/t/1147466.aspx [

See this link from IIS forums. Hope it helps you:
http://forums.iis.net/t/1147466.aspx[^]

您好，

HTTPS是服务器配置，在大多数方面不会影响您的代码.请在互联网上搜索如何在服务器上设置HTTPS-许多文章介绍了HTTPS的工作方式以及设置方法.实际上，您只需要购买HTTPS证书并设置服务器即可使用该证书，然后关闭端口80(普通HTTP)连接.

您唯一需要进行的代码添加/更改是对每个页面请求进行服务器端检查，以确保该页面请求是通过HTTPS发出的.

我建议最好通过HTTPS运行整个站点-否则，拥有密码的意义何在?如果攻击者可以简单地坐在中间并在通过时读取所有私人"信息，则他/她不需要用户的实际用户名/密码，他/她只需要等待他们查看即可包含他们的帐户信息的页面！

哦，顺便说一句，如果您对Facebook应用相同的(有效)逻辑，那么您很快就会意识到，如果您(以及其他所有人)没有打开Facebook的HTTPS设置，您也可以将所有人的整个个人资料向公众开放！因为您和您的朋友将通过完全开放的连接查看私人"个人资料，任何攻击者都可以从该个人资料中读取所有信息-甚至无需亲自去Facebook！几乎不需要用户名/密码.顺便说一句，除非Facebook突然改变，否则它们默认不会打开HTTPS-您必须深入研究其混乱/混乱的设置菜单，才能找到可以将其全部打开的选项，而不仅仅是登录.

希望这会有所帮助，
Ed

Hi there,

HTTPS is a server configuration thing and will (in most respects) not affect your code. Please search the internet for how to set up HTTPS on your server - there are many articles explaining how HTTPS works and how to set it up. Effectively you just need to buy an HTTPS certificate and set up your server to use that and then turn off port 80 (plain HTTP) connections.

The only code addition/change you will need is to put a server side check on each page request to make sure that the page request is coming via HTTPS.

I would suggest that it is best to run your entire site over HTTPS - otherwise, what is the point of having passwords eh? If an attacker can simply sit in the middle and read all the "private" info as it passes, he/she doesn''t need the user''s actual username/password, he/she simply needs to wait for them to view a page with their account info!

Oh by the way, if you apply the same (valid) logic to Facebook then you quickly realise that if you (and everybody else) doesn''t turn on Facebook''s HTTPS setting, you may as well put everyone''s entire profiles as open to the public! Since you and friends will be viewing "private" profiles over a completely open connection from which any attacker could read all the information - without ever needing to even go to Facebook itself! Much less need a username/password. Incidentally, unless Facebook has changed suddenly, they don''t turn on HTTPS by default - you have to go digging in their more than confusing/messy settings menus to find the option to turn it on for everything rather than just for login.

Hope this helps,
Ed

这篇关于如何在HTTP插入的https中运行我的应用程序?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！