经常听到有人这样说,Post比Get更安全,似乎这种想法充满了整个网络,带给人根深蒂固的影响,但是Post真的比Get更安全么?
经常听到有人这样说,
Post比
Get
更安全,似乎这种想法充满了整个网络,带给人根深蒂固的影响,但是Post
真的比Get
更安全么?
< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(153, 153, 153); ">
Http
请求方式
< p align="left" style="margin: 9pt 0cm; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
Http
请求发送方式常用的就是以下两种:
< p align="left" style="margin: 9pt 0cm 9pt 18pt; padding: 0px; text-indent: -18pt; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
①
Get
机制
< p align="left" style="margin: 9pt 0cm 9pt 18pt; padding: 0px; text-indent: -18pt; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
②
Post
机制
< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; line-height: 19.5pt; background-color: white; ">
Get
机制< p align="left" style="margin: 9pt 0cm; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
Get
机制的限制,比如最大1024
字节,这个略去不表,Get最大的特点是提交时将参数通过
url来发送。
< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; line-height: 19.5pt; background-color: white; ">
Post
机制< p align="left" style="margin: 9pt 0cm; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
Post
机制,实际是将数据http
的数据部分,只不过不在url里面显示罢了。
< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(153, 153, 153); ">
请求举例
< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; line-height: 19.5pt; background-color: white; ">
Get
机制< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; line-height: 19.5pt; background-color: white; ">
例如:请求这个
url:
http://topic.csdn.net/u/20121016/08/2f7960fd-31bd-44ee-bec5-ed297af60039.html?seed=996321166&r=79901963< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; line-height: 19.5pt; background-color: white; ">
可以看出这是明显的
get方式,有参数,通过
chome浏览器得到
< p style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-align: -webkit-auto; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">
![]()
< p align="left" style="margin: 9pt 0cm; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
从
url里面就可以得到数值,但是如果是底层的调用,比如
ajax请求,就不会在浏览器的地址栏中有显示,比如下面的请求:
< p align="left" style="margin: 9pt 0cm; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
![]()
< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; line-height: 19.5pt; background-color: white; ">
Post
机制< p align="left" style="margin: 9pt 0cm; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
比如:博客园的登录请求:
< p align="left" style="margin: 9pt 0cm; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
/login.aspx?ReturnUrl=http%3a%2f%2fwww.cnblogs.com%2f< p align="left" style="margin: 9pt 0cm; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
通过浏览器得到:
< p align="left" style="margin: 9pt 0cm; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
![]()
< p align="left" style="margin: 9pt 0cm; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.75pt; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; ">
可以看到,这是
post
请求,并且地址栏里是没有参数信息,更没有密码等等信息,但是往下看,没错,
Post请求一样,是将内容以明文的方式在传输,以下通过
wireshark截包来看:
< p style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-align: -webkit-auto; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">
![]()
< p style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-align: -webkit-auto; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">
数据包的发送,如下:
< p style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-align: -webkit-auto; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">
![]()
< p style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-align: -webkit-auto; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">
上图蓝色部分是
Post
的数据部分,post
其实只是将数据写到了http
尾部,如此而已。所以此处从安全上来讲,与不显示的后端ajax
的Get
请求,其实在安全性上是一样的。所以
post
更安全么,不见得,因为post
的设计之初,本来就不是为了安全而来的。
< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(153, 153, 153); ">
扩展一下
< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; line-height: 19.5pt; background-color: white; ">
Ajax
跨域< p style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-align: -webkit-auto; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">
不让
ajax
跨域,这样就来得合理了,因为如果允许跨域,那只需要写几行js
代码,这样就会造成重要信息(比如密码)的泄漏。
< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; line-height: 19.5pt; background-color: white; ">
Tcp
连接个数< p style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-align: -webkit-auto; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">
现代的浏览器,为了加快下载(加载)速度,已经将RFC
文档里面的”should be at most 2 connections”
中的
should
理解的出神入化,因为RFC里面
仅仅是should
而不是must
,所以现代的浏览器同时允许建立的tcp
连接一般是超过2
个tcp
连接的。< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; line-height: 19.5pt; background-color: white; ">
Tcp
协议< p style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-align: -webkit-auto; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">
就像上篇TCP连接检测里面提到的那样,“tcp
只是数据的发送与接收,包括握手,断开以及
rst
,
time_wait
,
close_wait 等等。
“,
Http
同样如果,知道协议,其实自己写一个简单的
IIS
真不费力。< p align="left" style="margin: 10px auto; padding: 0px; text-indent: 0px; color: rgb(51, 51, 51); font-family: verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25px; orphans: 2; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(153, 153, 153); ">
最后
前面提到,
TCP
的连接个数,说到这里突然想到了一个问题,同时也再深入的扩展一下,为什么一台机器
connect
同一个
IP
,
port
的
tcp
连接数不能超过
65535
(当然实际
65535
也是达不到的)个呢?
