搜索有关 http 重定向和浏览器历史记录的现有研究
对于网络应用程序,我想让用户通过浏览器表单查看和编辑他们之前创建的记录。在确认邮件中,他们会收到带有秘密令牌的访问链接,例如 http://myapp.com/edityourstuff/hdD8sF2m
单击此链接会向他们显示一个表单,他们可以在其中编辑他们的现有数据较早提交。
这不像用户名/密码组合那么安全,但更方便并且更适合我的情况。
但是,我想让它尽可能安全。
GET URL
如果包含秘密访问令牌的链接被泄露,未经授权的人员就可以访问该数据。我在这里关心的是共享/公共计算机。
我计划用以下模式解决这个问题:
- 通过电子邮件中的链接访问
/edityourstuff/ds8sdfhe
- 启动会话,将秘密令牌存储在其中
- 重定向到干净的
/edityourstuff
没有令牌 - 应用程序现在可以访问会话中的令牌,并可以相应地显示表单。而且地址栏也不显示。
我现在的问题是:浏览器是否会存储初始 URL,并立即重定向到历史记录中的干净 URL?
我知道不同的 HTTP 重定向状态代码(301、302、303)理论上有不同的用例。是否有关于不同浏览器如何处理不同重定向代码(而不是将初始 URL 存储在浏览器历史记录中)的信息?
For a web app I want to let users review and edit a record they made previously through a browser form. In their confirmation mail, they get an access link with a secret token, like http://myapp.com/edityourstuff/hdD8sF2m
Clicking this link shows them a form in which they can edit the existing data they submitted earlier.
This is not as secure as a username/password combination, but much more convenient and suitable for my situation.
However, I want to make this as secure as possible.
GET URLs
If the link containing the secret access token is disclosed, unauthorised people can access the data. My concern here is about shared/public computers.
I was planning to tackle this problem with the following pattern:
- Access to
/edityourstuff/ds8sdfhe
via link in email - Start a session, store the secret token in there
- redirect to clean
/edityourstuff
without token - The app now has access to the token in the session and can display the form accordingly. And the URL bar does not show it.
My question now is: Do browsers store the initial URL, that immediately redirects to the clean URL in their history?
I know that the different HTTP redirect status codes (301, 302, 303) have different use cases in theory. Is there any information on how different browsers treat the different redirect codes in respect to (not) storing the initial URL in browser history?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我自己刚刚做了一些快速测试,在 Firefox 7.0.1
使用上述模式时,无论是 301、302 还是 303 重定向,当单击后退按钮时,Firefox 都不会返回到初始 URL。但是,它会显示在完整的浏览历史记录中,并且是浏览器栏的 URL 完成列表的一部分。
这正是我希望避免的缺点。
I just did some quick testing myself, with Firefox 7.0.1
When using the above pattern, no matter if 301, 302 or 303 redirect, Firefox does not return to the initial URL when clicking the back button. However, it is shown in the full browsing history and is part of the URL completion list of the browser bar.
This is exactly the drawback I was hoping to avoid.