可以将用户名和密码被安全地通过HTTPS通过URL参数发送？ [英] Can a username and password be sent safely over HTTPS via URL parameters?

问题描述

我和一个同事昨天激烈的争论是否安全通过URL参数发送的登录凭据身份验证的一种手段。他正确地指出，HTTPS发送到服务器端请求之前加密URL中的所有非主机名/端口的字符。

A colleague and I had a heated debate yesterday whether it is safe to send login credentials via URL parameters as a means of authentication. He correctly pointed out that HTTPS encrypts all non-hostname/port characters in a URL before sending a request to the server side.

不过，我仍然认为有优势的情况下这里那里可以窃取这些凭据，并相信他们应该通过HTTPS POST发送。这是实际发送的登录/令牌数据的安全手段？

However, I still think there are edge cases here where it is possible to steal these credentials, and believe they should be sent via an HTTPS POST. Is this actually a safe means of sending login/token data?

推荐答案

请求的URL可能在 Web服务器日志和浏览器历史记录/书签显示这是不是一个好东西。

The requested URL might show up in Web server logs and browser history/bookmarks which is not a good thing.

这篇关于可以将用户名和密码被安全地通过HTTPS通过URL参数发送？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！