Cookie与基本身份验证
为什么几乎所有的网站都使用Cookie而不是基本身份验证? 不能仅仅因为用户/通过窗口是丑陋的,而且没有一个是更安全的.它们都不安全(没有https).
Why almost all websites out there are using cookies instead of basic auth? It can't be only that the user/pass window is ugly and none of them is more secure. They are both insecure (without https).
要注销基本身份验证登录,通常需要完全退出浏览器.这意味着服务器无法注销用户.
To logout of a basic auth login the browser often needs to be quit entirely. This means there is no way for the server to log out the user.
我相信基本身份验证也有更多的开销(假设您的cookie大小不是很大),但是我对此可能是错的.
I believe basic auth also has more overhead (assuming your cookie size isn't massive), but I might be wrong about that.
HTTP基本身份验证还会在每次请求时发送用户名和密码,这可能会降低安全性,因为拦截的机会更多.
HTTP basic auth also sends the username and password with every request, making it potentially less secure because there is more opportunity for interception.