英文:
Securely transfer Username and Password in login.jsp without https
问题
我有一个Struts应用程序,我需要通过HTTP传输用户名和密码。
但是这些用户名和密码以明文形式传输,可以通过按Control+Shift+J查看。
有什么建议可以保护登录数据吗?
即它不应该以纯文本格式可见。
注意 - 登录凭据是通过数据库和LDAP进行验证的。
提前感谢!!!
英文:
I have an struts application where I need to transfer username and password over http.
but that username and password are transferred in plaintext can be viewd by pressing Control+Shift+J.
Any suggestion how to secure login data ?
i.e it shouldn't be visible in plaint text format
Note--That login credentials are verified using database and LDAP
Thanks in Advance !!!
答案1
得分: 1
你可以对密码进行哈希处理,然后将用户名和密码哈希值发送到服务器。
英文:
You can hash password and then send the Username + password hash to server.
答案2
得分: 0
我假设您正在使用login.jsp中的表单提交来提交用户名和密码。
请改用HTTP POST而不是GET:
在您的login.jsp中,将HTTP方法改为POST
<form action="welcome.jsp" method="post">
GET和POST方法都用于在HTTP协议中从客户端向服务器传输数据,但GET和POST方法之间的主要区别在于GET在URL字符串中附加请求参数(以明文形式显示在浏览器中),而POST将请求参数包含在消息体中,这使得它更安全地传输数据从客户端到服务器在HTTP协议中。
阅读更多关于POST的信息:https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST
编辑:
在浏览器中加密数据(使用Javascript):
<html>
<head>
<script src="md5.js" language="javascript">
console.log("md5.js script loaded");
</script>
<script language="javascript" type="text/javascript">
function doLogin()
{
document.formname.hash.value=MD5(document.formname.password.value);
document.formname.password.value = "";
document.formname.submit();
}
</script>
</head>
对于表单提交按钮:
<input onClick="doLogin(); return true;" type="submit" value="Login">
英文:
I assume you are using a form submission in login.jsp to submit username and password.
Use HTTP POST instead of GET:
In your login.jsp, use http method as POST
<form action="welcome.jsp" method="post">
Both GET and POST method is used to transfer data from client to server in HTTP protocol but Main difference between POST and GET method is that GET carries request parameter appended in URL string(as plaintext and can be viewed from browser) while POST carries request parameter in message body which makes it more secure way of transferring data from client to server in http protocol.
More to read about Post: https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST
EDIT:
Encrypt data in browser (Javascript way):
<html>
<head>
<script src="md5.js" language="javascript" >
console.log("md5.js script loaded");
</script>
<script language="javascript" type="text/javascript">
function doLogin()
{
document.formname.hash.value=MD5(document.formname.password.value);
document.formname.password.value = "";
document.formname.submit();
}
</script>
For form submit button,
<input onClick="doLogin(); return true;" type="submit" value="Login">
答案3
得分: 0
使用SSL(Https)以确保安全地发布您的数据。尽管表单数据在开发工具下对用户的浏览器可见,但当连接安全时,其他人无法拦截发布的数据。
- 即使在POST之前对发布的数据进行加密,由于HTML/表单数据可见,数据仍然可以在控制台中看到。
英文:
Use SSL(Https) in order to securely post your data. Though the form data is visible to a user on his/her browser under the Dev Tools, no one else can intercept the posted data when the connection is secure.
- Even if you encrypt post data before POST, the data can still been seen in the console as the HTML/Form data is visible.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论