How to send securely passwords via GET/POST?

2019-05-29 08:26发布

问题:

I want to send HTTPS request in Java and send password in GET or POST data. Is it secure? Can I just put password in POST/GET field as a plain text and that will be secured when I use https? Or should I do something more?

回答1:

The usual practice is to send your authentication username+password as the Base64 encoded Authorization header.

Base64 encoding is not encryption. You still have to ensure it goes thro SSL/https.

Base64 codec is a means to ensure that endianess and other idiosyncrasies of routers, switches, and other network intermediaries do not transform the password or any binary data to be transported thro the cloud of networks.

The codec works by perceiving a stream of binary data as being a train of individual text characters. But the characters are not 8-bit but 6-bit. The 64 text characters used are the usual A-Z,a,z,0-9,+,/. With A having the value 0 and / having the value 63.

The http authentication header usually has this basic authentication format:

Authorization: Basic base64-encoded-username-password

Where base64-encoded-username-password has the layout username:password passed thro the base64 encoder (which is a Java util class, btw).

http://en.wikipedia.org/wiki/HTTP_header.

http://en.wikipedia.org/wiki/Base_64.



回答2:

Always send a password using POST. https will ensure it is encrypted whilst being sent.