问题
If I send password in JSON over HTTPS to perform authentication is it secure? Is there a better way to do it?
In general what is the best way to send a username and password over to a server to perform authentication?
回答1:
Generally speaking, yes, this is safe against a passive network eavesdropper, which is the primary threat one is concerned about in this sort of architecture.
If you'd prefer not to send the password in the (HTTPS-encrypted) request, you can have the server send a unique challenge string to the client. The client hashes the combination of that string with the password and then sends the hash to the server. This proves to the server that the client has the password without actually sending it. Yahoo's Login form used to work like this, for instance.
来源:https://stackoverflow.com/questions/18245096/is-sending-a-password-in-json-over-https-considered-secure