可以将用户名和密码被安全地通过HTTPS通过URL参数发送? [英] Can a username and password be sent safely over HTTPS via URL parameters?
问题描述
我和一个同事昨天激烈的争论是否安全通过URL参数发送的登录凭据身份验证的一种手段。他正确地指出,HTTPS发送到服务器端请求之前加密URL中的所有非主机名/端口的字符。
A colleague and I had a heated debate yesterday whether it is safe to send login credentials via URL parameters as a means of authentication. He correctly pointed out that HTTPS encrypts all non-hostname/port characters in a URL before sending a request to the server side.
不过,我仍然认为有优势的情况下这里那里可以窃取这些凭据,并相信他们应该通过HTTPS POST发送。这是实际发送的登录/令牌数据的安全手段?
However, I still think there are edge cases here where it is possible to steal these credentials, and believe they should be sent via an HTTPS POST. Is this actually a safe means of sending login/token data?
推荐答案
请求的URL可能在 Web服务器日志和浏览器历史记录/书签显示这是不是一个好东西。
The requested URL might show up in Web server logs and browser history/bookmarks which is not a good thing.
这篇关于可以将用户名和密码被安全地通过HTTPS通过URL参数发送?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!