jQuery,通过ajax发送密码?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4101440/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
jQuery,sending password via ajax?
提问by user147
I have registration box,and I want users to register via ajax. Is it safe to send password via jquery ajax? If not,can someone explain what to do to secure password data,any example?
我有注册框,我希望用户通过ajax注册。通过 jquery ajax 发送密码是否安全?如果没有,有人可以解释如何保护密码数据,任何例子?
采纳答案by Andrea Turri
Just to clarify, there is not a 100% secure method to send any kind of data with Ajax, or even a normal POST.
澄清一下,没有一种 100% 安全的方法可以使用 Ajax 发送任何类型的数据,甚至是普通的 POST。
A good practice is to use SSL/TLS Certificates, if you have a good SSL/TLS certificate nobody can sniff out the password from observing your network traffic.
一个好的做法是使用 SSL/TLS 证书,如果你有一个好的 SSL/TLS 证书,没有人可以通过观察你的网络流量来嗅出密码。
Unfortunately these services are not free. (*)
不幸的是,这些服务不是免费的。(*)
If you don't want to pay for something like that and you're building a Sign Up / Log In you can simply use OpenAuth or OpenID and let people join using Social Networks avoiding many security steps both Client and Server side.
如果您不想为这样的事情付费并且您正在构建注册/登录,您可以简单地使用 OpenAuth 或 OpenID 并让人们使用社交网络加入,从而避免客户端和服务器端的许多安全步骤。
*: As suggested by Ivan Venediktov, you can now get a free SSL certificate by following this LINK.
*:根据Ivan Venediktov 的建议,您现在可以按照此链接获得免费的 SSL 证书。
回答by Radu
Make sure that you're sending it via POST and use SSL rather than plain old http and you should be fine. Sending it via AJAX does not make it less safe than a regular post.
确保你通过 POST 发送它并使用 SSL 而不是普通的旧 http,你应该没问题。通过 AJAX 发送它并不比普通帖子更安全。
See this answer(and another discussion here) for a more in depth explanation, but the jist of it is that the request you're making, and the information that is transmitted over the wire is fundamentally the same whether its an AJAX request or form submit.
有关更深入的解释,请参阅此答案(以及此处的另一个讨论),但其要点是您正在发出的请求以及通过网络传输的信息无论是 AJAX 请求还是表单都基本相同提交。
回答by Nick Craver
回答by Anders Fjeldstad
It's just as safe/unsafe as sending the password via a full post-back. You need to use an encrypted connection in order for it to be safe(r). Use SSL (https://).
它与通过完整回发发送密码一样安全/不安全。您需要使用加密连接才能使其安全(r)。使用 SSL (https://)。
回答by Bruce Aldridge
If you want to go one step further with security. You don't even need to collect the users password, you can generate a hash (with salt!) on the client side with something like this http://www.movable-type.co.uk/scripts/sha1.htmlthen you never see the password, only the hash
如果您想在安全方面更进一步。你甚至不需要收集用户密码,你可以在客户端生成一个哈希(用盐!),像这样http://www.movable-type.co.uk/scripts/sha1.html然后你永远看不到密码,只有哈希
The only issue with this is javascript is required. you can easily do a fallback however
唯一的问题是需要 javascript。但是,您可以轻松地进行后备
