Basic knowledge of web security (continued from the previous article)
Ten, HTTP authentication-BASIC authentication
1. Authentication process:
(1) The client initiates an HTTP request, and the requested resource is a restricted resource (accessible by login)
(2) After receiving the request, the server does not return the resource first, but returns the login name and password to the client
(3) After receiving the page, the client enters the user name and password and sends it to the server. The server returns to the database to verify
(4) After the verification is successful, the user can access the first resource
2. Use: Small network authentication (such as router)
3. Features: Base64 encoded user name and password are transmitted in plain text
4. Advantages: Almost all browsers support
5 , Disadvantages: safety is not guaranteed
Eleven, HTTP authentication-HTTP OAuth
1. The authentication process The
client asks whether the user is authorized. After agreeing to the authorization, the client requests the token from the third-party server. After the authentication service is passed, the token is returned, and the next requested resource will carry the token to the request.
2. The OAuth authentication process
realizes the function : Douban authorization login page, third-party login OAuth authentication.
①The user requests the Douban website to log in. After logging in, the user requests a third-party QQ rate. Douban executes 302 to jump to the QQ authorization website.
②After the execution of the jump, it is equivalent to the user sending a request to the authorization server, that is, the user wants the QQ authorization server to send a request.
③ The user enters the user name and password of QQ to authenticate the authorization server of QQ. After the authentication is successful, execute 302 website jump and jump back to the Douban website. At this time, the token containing the QQ authorization information is
not perceptible on the browser side. Finally, the user appears to be logged in successfully and enters the Douban homepage.
⑤Next The request of Douban directly sends a request to Douban. Every time Douban sends a request to the QQ server, it carries the token of the previous verification success information, and returns 200, followed by a return request with user name, password and other information. When logging in, I found that the QQ information was synchronized to the Douban website.
——This process is called OAuth authentication.
Twelve, HTTP authentication-Cookie Auth
What is it? The user requests the website; the website requires user name and password authentication; after the authentication is successful. The website will return a cookie message; if Hongwu logs in again, if the cookie is not clear, no authentication is required.
Thirteen, SSL/TLS
What is it? A communication protocol used to provide confidentiality and data integrity between two communication applications; TLS is the successor to SSL, called Transport Layer Security
14. The difference between HTTP and HTTPS
HTTP plaintext transmission, 80 port
HTTPS encrypted transmission, 443 port
15. TLS handshake process
16. HTTPS handshake process
