0

I am trying to leverage the API's of an online registration system called EventBrite. I am wondering specifically about the user_new method. The following is an example of a request URL for this method:

https://www.eventbrite.com/xml/user_new?email=user@eventbrite.com&passwd=xxxxx

Where user@eventbrite.com is the email and xxxxx is the password. This method would be called from an ASP.NET application, but I can't help but questions the security of this...I am just passing someone's email and password as text in a URL? Can someone help me understand the level of security given this information, and how to make this secure?

More information on the method: http://developer.eventbrite.com/doc/users/user_new/

4

2 回答 2

2

我认为你有点担心是对的,不是因为 Marc 在评论中指出的拦截,而是因为服务器日志将记录你的 URL(带密码)。请参阅此处的讨论HTTPS (HTTP + SSL) 中的查询字符串参数是否安全?

于 2013-10-26T21:46:42.677 回答
1

我在 Eventbrite 的 API 团队工作,所以希望我能在这里为您提供帮助。

正如另一个答案中提到的,服务器日志是这里的主要漏洞点。虽然我们采取了适当的措施来控制安全性——但我们确实为您提供了更好的潜在选择(而不是支持的 /user_new 方法)。

我们首选的身份验证方法是 OAuth ( http://developer.eventbrite.com/doc/authentication/oauth2/ ),当您通过此流程发送用户时,在 Eventbrite 上没有现有帐户的用户可以选择在此流程中注册。

我希望这将帮助您完成您的目标任务。

干杯!

于 2013-10-28T12:38:30.400 回答