Establish an encrypted connection that requires only the server to obtain a certificate from an authoritative authority, such as VeriSign. But encryption can only prevent an attacker from seeing a site send
and received data, it does not prevent attackers from forging identities and malicious attacks on the site.
Second, legitimate visitors disguised as a Web site
Now we know how to identify a Web site, but how does a site identify its visitors? Here we go on to discuss the problem.
Most Web servers support two password Authentication schemes: Basic Password Authentication and classified password authentication. Two programs are sent to the browser by sending the authentication signal
Yes. When the browser first receives the authentication signal, it displays a dialog box asking the user's name and password. In the Basic authentication mode, browsers use a simple text
This form is passed to the user name and password. In the classified authentication mode, the browser transmits the message class for the username and password. If the server sends its confirmation, the browser
The login information is stored.
If you implement these authentication schemes with simple settings on the Web server, you do not need to add any code in your Web application.
An attacker's listening problem: If a visitor sends his user name and password in a simple text form, it is easy for an attacker to capture this information. Transfer
User information using SSL can easily solve this problem. As shown in the following example.
User ID: < input type= "text" name= "user" >
Password: < input type= "Password" name= "Password" >
If an attacker cannot listen to the communication between the Web site and the visitor, he will take a more despicable approach-disguised as your legitimate visitor. caused this
The cause of the situation is usually caused by the visitors themselves, because most network users are not very careful in the selection of passwords, their passwords are generally not very Ann
All. They like to use the same username and password when they log on to each site.
The way to solve this problem is for visitors to use a secure password when registering an account. Web sites have the best ability to prevent visitors from setting English words as secret
Code, it can advise users to use a combination of numbers and letters of the password.
Third, disguised as a Web site administrator
When a visitor logs on to your site, you will keep their identity valid until they leave the site. So how do you implement this function? Because
A permanent connection is not established between the browser and the server, so the server will only establish a separate connection after each page request is received.
How does the server confirm the identity of the user after a successful login?
The answer is that the browser saves the user's name and password. When the browser and the server connect again, the browser passes the user name and password that you have already stored.
The server uses the user database to verify this information and makes the decision to allow and deny access on this basis.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
