Forum: Ruby on Rails Unencrypted Password Appears in Log

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Mike R. (Guest)
on 2007-04-13 22:21
(Received via mailing list)
I have a requirement to authenticate my app users through Active
Directory.  My login form captures a user's ID and password and passes
them to a net/ldap routine.  I'm using form_for...|form|  to create
the form and form.password_field to create the password field.  The
password entry is encrypted on the screen but appears unencrypted in
the development log in the params listing.

What can I do to keep the unencrypted password from appearing in the


Bill W. (Guest)
on 2007-04-13 22:34
(Received via mailing list)
Hi Mike,

imdwalrus wrote:

> What can I do to keep the unencrypted password from
> appearing in the log?

I have a requirement to filter *all* user input from my logs, so this
specific to passwords.  This'll get you in the ballpark, though.

Inside application.rb, outside the methods

if %w(production).include?(ENV['RAILS_ENV'])
   filter_parameter_logging { |k,v| v.replace '' unless k ==
'controller' or
k == 'action'}

Chris M. (Guest)
on 2007-04-13 23:00
(Received via mailing list)
Use filter_parameter_logging:

You can stick this in your ApplicationController, or do it on a per-
controller basis.

Mike R. (Guest)
on 2007-04-14 01:32
(Received via mailing list)
Thanks, Bill.  I really appreciate your help.
Mike R. (Guest)
on 2007-04-14 02:38
(Received via mailing list)
That's perfect, Chris.  Thanks so much for taking the time to help me.

-- Mike
This topic is locked and can not be replied to.