简体繁体 English

Javascript使用加密参数转到URL

[英]Javascript go to url with encrypted parameter

原文 2013-12-11 14:41:34 4 2 javascript/ post/ redirect

I am creating a google chrome extension which works and looks as if it was an extension of my website. 我正在创建一个google chrome extension ，它的工作原理和外观好像是我网站的扩展程序。

When you first open my extension you would have to login. 首次打开我的扩展程序时，您必须登录。 When you enter your username and password an ajax request is sent to my server. 当您输入用户名和密码时，ajax请求将发送到我的服务器。 If the result of the username and password is true i encrypt the password and store it in the extensteion 如果用户名和密码的结果为true，则我将密码encrypt并将其存储在扩展中

Now here is where it gets tricky: 现在，这里变得棘手：

if the user goes to my website it should automaticly log him/her in. i thought that i would in my extension make a check that if the website was mine it would redirect to a suburl and send the encrypted password / username, and my site would then auto log the user in 如果用户访问我的网站，它应该自动登录他/她。我想我会在我的扩展程序中进行检查，如果该网站是我的，它将重定向到一个子URL并发送加密的密码/用户名，以及我的网站然后会自动将用户登录

An example of an encrypted password looks like this: ZNVwb7ukhJfhBmdbo4SkPMjG6U8a0GKQB+/mPhQtRVw= 加密密码的示例如下所示： ZNVwb7ukhJfhBmdbo4SkPMjG6U8a0GKQB+/mPhQtRVw=

because of / i would like to send it as a post request. 由于/我想将其作为发帖请求发送。

Do you guys know how i would achieve this? 你们知道我将如何实现这一目标吗？

2 个解决方案

Without commenting on the encryption you are using, it sounds like you want to avoid a GET request solely because the URL contains the / character? 在不评论您使用的加密的情况下，听起来您似乎仅由于URL包含/字符而希望避免GET请求。

You can send this via GET, you should simply URL encode the value. 您可以通过GET发送此消息，只需对值进行URL编码即可。

URLs can only be sent over the Internet using the ASCII character-set. URL只能使用ASCII字符集通过Internet发送。

Since URLs often contain characters outside the ASCII set, the URL has to be converted into a valid ASCII format. 由于URL通常包含ASCII集之外的字符，因此必须将URL转换为有效的ASCII格式。

URL encoding replaces unsafe ASCII characters with a "%" followed by two hexadecimal digits. URL编码将不安全的ASCII字符替换为“％”，后跟两个十六进制数字。 URLs cannot contain spaces. 网址不能包含空格。 URL encoding normally replaces a space with a plus (+) sign or with %20. URL编码通常用加号（+）或％20代替空格。

So if you want to send a forward slash to be interpreted as a query string parameter instead of a path delimiter, you should encode it to %2F . 因此，如果要发送正斜杠以解释为查询字符串参数而不是路径定界符，则应将其编码为%2F 。 It is better to use a standard library for this and pass the whole string in rather than rolling your own to only encode the slash. 最好为此使用标准库，然后传入整个字符串，而不要滚动自己的字符串以仅对斜杠进行编码。

I would suggest rather than trying to store an encrypted password and possibly succumbing to future security issues, you use a token instead. 我建议您使用令牌代替，而不是尝试存储加密的密码并可能会导致将来的安全问题。 So the process would be: 因此，过程将是：

The user runs your extension 用户运行您的扩展程序
The extension sends the user's login information to the remote server (over HTTPS) and gets back a token 该扩展将用户的登录信息发送到远程服务器（通过HTTPS）并获取令牌
The token is used for all further requests 该令牌用于所有其他请求

To do this you need a session table on your remote server that can interpret the token in each request to find the user that is making the request. 为此，您需要远程服务器上的会话表，该会话表可以解释每个请求中的令牌以查找发出请求的用户。 Best practice would dictate that eventually the token should become stale with inactivity, requiring a user to login again. 最佳做法是，最终令牌应在不活动的情况下变得陈旧，要求用户再次登录。 This time out would generally be in the range or 1-24 hours. 超时时间通常在1到24小时之间。