Consider the URL: https://foo:password@example.com
上述示例中的用户名/密码部分是否符合这个问题?
当您将用户名和密码放在主机前面时,这些数据不会以这种方式发送到服务器。而是根据所使用的身份验证模式将其转换为请求标头。大多数情况下,这将是我在下面描述的基本身份验证。类似(但使用频率明显较低)的身份验证方案是摘要式身份验证,如今它提供了类似的安全功能。
使用Basic Auth,问题中的HTTP请求将如下所示:
GET / HTTP/1.1
Host: example.com
Authorization: Basic Zm9vOnBhc3N3b3Jk
您在那里看到的类似哈希的字符串是由浏览器创建的,如下所示:base64_encode(username+“:”+password)。
对于HTTPS传输的局外人来说,这些信息是隐藏的(就像HTTP级别上的其他一切一样)。不过,您应该注意登录客户端和所有中间服务器。用户名通常会显示在服务器日志中,但密码不会。但这并不能保证。当您在客户端上使用例如<code>curl</code>调用该URL时,用户名和密码将在进程列表中清晰可见,并可能出现在bash历史文件中。
当您在GET请求中发送密码时,例如http://example.com/login.php?username=me&;password=secure用户名和密码将始终出现在您的Web服务器、应用程序服务器、缓存等的服务器日志中。。。除非您专门将服务器配置为不记录它。这只适用于能够读取未加密http数据的服务器,如您的应用程序服务器或任何中间盒,如负载平衡器、CDN、代理等。
基本身份验证是标准化的,并由浏览器通过显示您可能已经看到的这个小用户名/密码弹出窗口来实现。当您将用户名/密码放入通过GET或POST发送的HTML表单中时,您必须自己实现所有登录/注销逻辑(这可能是一个优势,可以让您更好地控制登录/注销流程,因为必须再次安全地实现这一点会增加“成本”)。但是您应该永远不要通过GET参数传输用户名和密码。如果必须,请改用POST。默认情况下,阻止记录此数据。
当使用用户/密码输入表单和随后的基于cookie的会话实现身份验证机制时(如今天通常使用的),您必须确保密码是通过POST请求传输的,或者仅通过上述标准化身份验证方案之一传输的。
最后,我可以说,通过HTTPS以这种方式传输数据可能是安全的,只要你注意密码不会出现在意外的地方。但这条建议适用于以任何方式传输任何密码的每一次。
For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...
I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...
Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...
Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...
I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...
I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...
Three SHA512Managed related questions: Is SHA512Managed considered the best one-way hash available in .NET 3.5 for security? What Salt size should be used with SHA512Managed? The application is for ...
[Update] - I attach also full config files, for service, and for client (outside of here, not to flood the topic) I m having situation pretty much identical to the one outlined in this question, ...