问题
Genaral practice is when you login, or do something else that requires your username and password, you send it in the body of post request. Also for added security https should be used.
In get request these parameters are sent as a part of URL. But in https both body and headers are encrypted, as i understand.
So in theory, whether you use https post or get for sending, your data are safe..., in one case attacker will have to decript your header and in other your body.
So my question is, if this is all true, how is post more secure?
回答1:
Aside what others have already written there is an additional point, that in webservers logsfiles most often the entire url is being logged, so anyone with access to the logfiles can read the login credentials. Furthermore, if there is some traffic analysis tool on the page (say i.e. google analytics or whatever) then the calling url is being reported there as well -> also those people can read the login credentials (and they may even apears in the traffic analysis).
回答2:
GET is recorded at browser's history. Someone might look in your surf history and see your password.
回答3:
Same reason you display **** in a password entry field...
If you send the credentials via GET, anyone looking over the shoulder of the user could see the password (or perhaps a hash of the password, depending on exactly how you perform your logon) in the URL bar.
回答4:
The main point of putting something in a GET request is the ability to bookmark the result. This is great for search results, not so much for a login request. Sharing that URL would then theoretically allow anyone to login using your username and password.
来源:https://stackoverflow.com/questions/19794590/http-why-is-wrong-sending-username-and-password-in-get-request