为什么通过HTTP AJAX验证被认为是不安全的? [英] Why is AJAX authentication through HTTP considered to be non secure?
问题描述
让我们考虑下一个场景:假设我有一个Web应用程序,用户身份验证是通过一个模式对话框窗口中执行(可以说,当用户点击登录按钮,Ajax请求被发送,并根据不同的回调我要么关闭窗口或显示错误),我使用只有HTTP 的协议。为什么它被认为是不安全的方式来做事?
此外,请确保一个模式对话框窗口,是考虑到,因为这是非常重要的信息。有可能是在对话窗口下方显示一些数据,并且可以是可访问的方式,如果被分解。
现在的问题包括:
- 您如何通过打破一个应用程序的安全性 使用Ajax调用?
- 就是Ajax HTTP不是更不安全 普通形式的HTTP?
谁告诉你 - 他是错的。通过后期的Ajax不是安全性较低比后与普通形式。正因为它是同样的事情
更新1 根据最后的编辑:
- 您不能
- 否
参数:AJAX请求是相同的http请求的任何其他(如要求通过HTML表单发送)。 绝对是一样的。因此,通过定义它不能小于或多个安全
我不知道该怎么解释更多,还能说些什么:AJAX是一个http请求。当您打开SO页面或相同的要求,因为你的浏览器当您发布的SO问题的形式。
我可以重新表述您的问题类似为什么一个比一个不太安全的。答案吧:一个是不是比一个不太安全的,因为A是A:-S
Lets consider next scenario: assume I have a web app, and authentication of users is performed through a modal dialog window (lets say, that when a user clicks login button, ajax request is sent and depending on the callback I either close the window or display an error), and I use only HTTP protocol. Why is it considered to be not secure way to do things?
Also, please make sure that a modal dialog window is taken into account, because this is vital info. There may be some data displayed underneath the dialog window and can be accessible if modality is broken.
The question includes both:
- How can you break an app security by utilizing ajax call?
- Is Ajax HTTP less secure than a regular form HTTP?
Whoever told you - he is wrong. The ajax through post is not less secure than post with regular forms. Just because it is the same thing.
Update 1 according to the last edit:
- You cannot
- No
Argument: the AJAX request is the same http request as any other (such as request sent by html form). Absolutely the same. So by definition it cannot be less or more secure.
I don't know how to explain more and what to say else: ajax is a http request. the same request as your browser does when you open SO page or when you post the SO question form.
I can rephrase your question to something like "Why A is less secure than A". Answer to it: A is not less secure than A, because A is A :-S
这篇关于为什么通过HTTP AJAX验证被认为是不安全的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
