堆栈内存溢出
  简体   繁体   English

当用户有权访问url但不能访问查询参数时使用什么https状态代码?

[英]What https status code to use when user has access to url but not to query parameters?

 原文  2011-04-13 08:56:12       security/ http/ permissions/ status

问题描述

Good day, 美好的一天,

What http status code should be used when the requester has access to that url but had improper query parameters. 当请求者可以访问该URL但查询参数不正确时,应使用什么http状态代码。

Let's say something like this: 我们这样说:

As user 100, I can access http://example.com/bankaccount/get?id=100 作为用户100,我可以访问http://example.com/bankaccount/get?id=100

However, I should not be able to see the bank account of another user, let's say via http://example.com/bankaccount/get?id=200 . 但是,我应该看不到其他用户的银行帐户,例如通过http://example.com/bankaccount/get?id=200

Which HTTP Status code should be used? 应该使用哪个HTTP状态代码?

3 个解决方案

解决方案1
 5 已采纳  2011-04-13 09:30:55

If the access is forbidden, return 403 : 如果禁止访问,则返回403

The server understood the request, but is refusing to fulfill it. 服务器理解了该请求,但拒绝执行该请求。 […] If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. […]如果请求方法不是HEAD,并且服务器希望公开为何未满足请求的原因,则应在实体中描述拒绝原因。 If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead. 如果服务器不希望将此信息提供给客户端,则可以改用状态代码404(未找到)。

But I don't see the point of explicitly specifying the ID anyway as you already now the user's ID. 但是我仍然看不到明确指定ID的意义,因为您现在已经是用户的ID。 So /bankaccount/get should suffice in this case. 因此,在这种情况下, /bankaccount/get应该足够了。

解决方案2
 1  2011-04-13 09:29:52

In your example I would either send a 302, redirecting him to an error page, or a 200 with a custom error page right there. 在您的示例中,我要么发送302,将其重定向到错误页面,要么发送200,并在其中添加自定义错误页面。 This will be the most user friendly version. 这将是最用户友好的版本。

Edit: If you want to opt for something in the 4xx area of status codes, make sure the webserver supplies an appropriate error page. 编辑:如果要在状态代码的4xx区域中选择某些内容,请确保Web服务器提供适当的错误页面。 The average user will not be happy to see a white screen with "403 - Forbidden". 普通用户不会看到显示“ 403-Forbidden”的白色屏幕。 403 with a custom error page is a good solution to this problem. 带有自定义错误页面的403是解决此问题的好方法。

解决方案3
 0  2011-04-13 09:07:40

I vote for 403 - Forbidden, since it's a legitimate request, but not allowed for the current user. 我投票给403-禁止,因为这是合法请求,但当前用户不允许。

If the query parameter names were wrong, on the other hand, it should probably be 404. 另一方面,如果查询参数名称错误,则应该为404。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用查询参数限制对URL的访问 - Limit access to an URL with query parameters 当通过https连接时,在Cookie中存储用户密码有什么风险? - What are the risks of storing a user password in a Cookie, when the connection is via https? Symfony2检查用户是否可以访问Twig中的url - Symfony2 check if user has access to url inside Twig 应用程序委派用户时的安全URL参数(概念) - Secure URL parameters when an application delegates the user (concept) 哪个文件夹保证用户在Windows上具有写访问权限? - What folder guarantees user has write access on windows? 使用C#将照片保存到用户无权访问的目录 - Use C# to save photos to directory that user has no access to 是否可以跟踪在https URL查询字符串和Post参数中传递的请求参数? - Is it possible to trace the request parameters passed in a https URL querystring and Post parameters? 当URI是URL时,了解实体ID应该使用HTTP或HTTPS - Understanding Entity ID when URI is URL should I use HTTP or HTTPS 可以通过URL参数通过HTTPS安全地发送用户名和密码吗? - Can a username and password be sent safely over HTTPS via URL parameters? 使用HTTPS时散列用户密码 - Hashing user passwords when using HTTPS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM