问题
I have made a simple login form, but what is bugging me is that if you view the request (it's ajax), you can see the users password i.e. ?user=Bob&pass=secret
Is this something not to worry about at all or am I doing it wrong? I can't think of a way around this.
回答1:
Always use HTTPS and always opt for POST. The GET method will allow your browser to store the username and password when it stores the URL in its history and can also be sent to third party sites, e.g., google analytics. Also, servers will often log the request data including query string parameters. It's pretty clear why using GET is a very bad idea.
回答2:
If you are not using SSL then GET and POST are equivalent. Although POST is more secure as compared to GET when SSL is present.
GET sends the data unencrypted but when you will use SSL then the HTTP data which will be send will be encrypted and hence it will be secure.
You can check out the related thread:- Send password safely using an ajax request
回答3:
If you are able to view the request, you can view the password whether it is an unencrypted GET or POST request.
To protect your users, the best practice is to serve both the login page itself and POST the data to your server over SSL. That will help prevent nefarious parties from viewing the request and seeing that sensitive information.
If you want to take it a step further you can securely hash the users password in Javascript before even being sent to your server. Here is some more information on that: https://softwareengineering.stackexchange.com/questions/76939/why-almost-no-webpages-hash-passwords-in-the-client-before-submitting-and-hashi
回答4:
Use post or get over https... Http post and get requests are plain text.
来源:https://stackoverflow.com/questions/19343134/best-way-to-pass-a-password-via-get-or-post