How to safely include password in query string(如何在查询字符串中安全地包含密码)
是否可以在 c# 站点的查询字符串中安全地包含密码.
Is it possible to safely include a password in a query string for a c# site.
我知道的一些假设和事情 -
Few assumptions and things I know -
- 该网站没有也不会有与其他网站的链接/图像/javascript/分析.因此,无需担心引荐链接.
- 与网络浏览器的所有通信都将通过 https.
- 我知道查询字符串会保留在电脑.
- 登录时不仅需要密码/用户名.如此简单将网址粘贴回浏览器不会导致登录.
I know the site may be susceptible to cross site scripting and replay attacks. How do I mitigate these?
Given the above scenario, how should I include a password in a query string?
Please don't ask me 'why', I know this is not a good idea, but it is what the client wants.
您可以使用 SSL 连接安全地将密码发送到 Web 服务器.这会加密客户端/服务器之间的所有通信.
You can safely send the password to a web server using a SSL connection. This encrypts all the communication between the client/server.
基本身份验证协议将用户/密码信息放在 HTTP 请求标头中.C# 和许多其他 Web 服务器语言可以访问此信息,并使用它来验证请求.与 SSL 混合使用时非常安全.
Basic authentication protocols place the user/password information in the HTTP request header. C# and many other web server languages can access this information, and use it to authenticate the request. When mixed with SSL this is very safe.
If none of the above is possible, then it's recommended that you create a unique key for each user. Rather then send their password this key is used. The advantage is that the key is stored in the database and can be removed. The user's password remains unchanged, but they must register again to get a new key. This is good if there is a chance someone could abuse their key.
Hand shaking is where the client makes a request to the server, and the server sends back a randomly generated key. The client then generates a hash from that key using a secret, and sends it back to the server. The server can then check if the client knew the correct secret. The same thing can be done where the password is the secret instead and the client includes username details in the request. This can authenticate without ever sending the password.
如果以上都不是可能的选项,那么您可以尝试在密码通过开放 URL 发送之前使用 JavaScript 对其进行加密.我找到了一个开源版本 AES 分组密码.该项目名为 JSAES,支持 128 到 256 位加密.可能还有其他 JS 库做同样的事情.
If none of the above are possible options, then you could attempt to use JavaScript to encrypt the password before it's sent via an open URL. I found an open source version the AES block cipher. The project is called JSAES and supports 128 to 256 bit encryption. There might be other JS libraries that do the same thing.
- 带有服务/守护程序应用程序的 Microsoft Graph CSharp SDK 和 OneDrive for Business - 配额方面返回 null 2022-01-01
- WebMatrix WebSecurity PasswordSalt 2022-01-01
- C# 中多线程网络服务器的模式 2022-01-01
- Web Api 中的 Swagger .netcore 3.1,使用 swagger UI 设置日期时间格式 2022-01-01
- 输入按键事件处理程序 2022-01-01
- C#MongoDB使用Builders查找派生对象 2022-09-04
- 在哪里可以找到使用中的C#/XML文档注释的好例子? 2022-01-01
- MoreLinq maxBy vs LINQ max + where 2022-01-01
- 如何用自己压缩一个 IEnumerable 2022-01-01
- 良好实践:如何重用 .csproj 和 .sln 文件来为 CI 创建 2022-01-01