可以通过 URL 参数通过 HTTPS 安全地发送用户名和密码吗? [英] Can a username and password be sent safely over HTTPS via URL parameters?
问题描述
昨天我和一位同事进行了激烈的辩论,是否可以通过 URL 参数发送登录凭据作为身份验证的方式安全.他正确地指出,HTTPS 在向服务器端发送请求之前会加密 URL 中的所有非主机名/端口字符.
A colleague and I had a heated debate yesterday whether it is safe to send login credentials via URL parameters as a means of authentication. He correctly pointed out that HTTPS encrypts all non-hostname/port characters in a URL before sending a request to the server side.
但是,我仍然认为这里存在可以窃取这些凭据的边缘情况,并且认为它们应该通过 HTTPS POST 发送.这实际上是发送登录/令牌数据的安全方式吗?
However, I still think there are edge cases here where it is possible to steal these credentials, and believe they should be sent via an HTTPS POST. Is this actually a safe means of sending login/token data?
推荐答案
请求的 URL 可能显示在 Web 服务器日志 和 浏览器历史记录/书签 中,这不是好东西.
The requested URL might show up in Web server logs and browser history/bookmarks which is not a good thing.
这篇关于可以通过 URL 参数通过 HTTPS 安全地发送用户名和密码吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!