可以通过 URL 参数通过 HTTPS 安全地发送用户名和密码吗? [英] Can a username and password be sent safely over HTTPS via URL parameters?

问题描述

昨天我和一位同事进行了激烈的辩论，是否可以通过 URL 参数发送登录凭据作为身份验证的方式安全.他正确地指出，HTTPS 在向服务器端发送请求之前会加密 URL 中的所有非主机名/端口字符.

A colleague and I had a heated debate yesterday whether it is safe to send login credentials via URL parameters as a means of authentication. He correctly pointed out that HTTPS encrypts all non-hostname/port characters in a URL before sending a request to the server side.

但是，我仍然认为这里存在可以窃取这些凭据的边缘情况，并且认为它们应该通过 HTTPS POST 发送.这实际上是发送登录/令牌数据的安全方式吗?

However, I still think there are edge cases here where it is possible to steal these credentials, and believe they should be sent via an HTTPS POST. Is this actually a safe means of sending login/token data?

推荐答案

请求的 URL 可能显示在 Web 服务器日志 和 浏览器历史记录/书签 中，这不是好东西.

The requested URL might show up in Web server logs and browser history/bookmarks which is not a good thing.

这篇关于可以通过 URL 参数通过 HTTPS 安全地发送用户名和密码吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！