如何在网址中隐藏密码
有一个用于登录服务器的 JSP 脚本。目前,用户凭据是通过 HTTP 标头接受的,并且 login.jsp 文件的设计是,一旦用户提供凭据,用户就会被重定向到一个重定向 URL,这是一个完全限定的 URL,在查询字符串中包含用户名和密码,因此用户能够访问他想要的页面,但问题是密码在浏览器地址栏中可见。
那么,有什么方法可以在url中隐藏用户密码呢?
There is a JSP script for login to a Server. Currently user credentials are being accepted through HTTP Header and the login.jsp file is so designed that once the user provides credentials the user is redirected to a redirectURL which is a fully qualified URL containing Username and Password in query string and hence the user is able to access the page he wants but problem is the password is being visible in the browser address bar.
So, what are the ways by which I can hide the user password in the url.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
其他人建议使用
POST
,这是正确的方法。但这还不足以保证中间人看不到密码。为了防止出现这种情况,您应该在服务器上启用 TLS (SSL) 并通过 https 提供页面Others suggested using
POST
, which is the correct method for this. But it is not enough to guarantee that a man-in-the-middle can't see the password. In order to prevent that you should enable TLS (SSL) on your server and serve the page over https您可以在请求中使用 http POST 参数而不是 GET 参数。它们在 URL 地址栏中将不再可见。
You can use http POST parameters instead of GET parameters in the request. They won't be visible anymore in the URL address bar.
我不了解 JSP,但您应该正确使用 POST 请求
I don't know about JSP but you should propably use POST request
除了上述有关使用 POST 参数的建议之外,如果我是您,我可能会重新考虑如何进行密码管理,因为您根本不需要在应用程序中将纯文本密码从一个页面传递到另一页面。
即使您需要将密码从一个页面传递到另一个页面,您也应该考虑对密码进行哈希处理,然后传递哈希值,然后让页面验证哈希值是否有效 - 因为希望您的数据库中包含哈希值
注意:如果您将密码以纯文本形式存储在数据库中,那么这也是绝对不允许的
In addition to the above suggestions regarding using POST parameters, if i were you, i would probably reconsider how your password management is being done as you should not be needing to pass passwords in plain text from one page to the other in your application at all.
Even if you need to pass the passwords from one page to another, you should consider hashing the password and then passing the hash and then let the page's validate if the hash is a valid one - because hopefully your database will have the hashed values in them
NOTE : If you are storing the passwords in plain text in your database, thats something thats a definite no-no as well