Forum: Ruby on Rails SSL before or after submit?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Paul B. (Guest)
on 2009-06-08 16:02
A general question regarding SSL and login. Does it matter if a login
form is not passed through SSL when sent to the user browser but the
post action is? Will the password be sent through SSL in this case?
Aaron T. (Guest)
on 2009-06-08 21:04
(Received via mailing list)
2009/6/8 Pål Bergström <removed_email_address@domain.invalid>:
>
> A general question regarding SSL and login. Does it matter if a login
> form is not passed through SSL when sent to the user browser but the
> post action is? Will the password be sent through SSL in this case?

Both need to be wrapped in SSL for proper security.  If the form is
not SSL then people can do MITM attacks (among others) to get the
username/password sent to the wrong server.


--
Aaron T.
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
Those who would give up essential Liberty, to purchase a little
temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
Paul B. (Guest)
on 2009-06-08 21:10
Aaron T. wrote:

> Both need to be wrapped in SSL for proper security.  If the form is
> not SSL then people can do MITM attacks (among others) to get the
> username/password sent to the wrong server.
>
>

Thanks for the clarification. :-)
Robert W. (Guest)
on 2009-06-08 22:20
Aaron T. wrote:
> 2009/6/8 P�l Bergstr�m <removed_email_address@domain.invalid>:
>>
>> A general question regarding SSL and login. Does it matter if a login
>> form is not passed through SSL when sent to the user browser but the
>> post action is? Will the password be sent through SSL in this case?
>
> Both need to be wrapped in SSL for proper security.  If the form is
> not SSL then people can do MITM attacks (among others) to get the
> username/password sent to the wrong server.
>
Besides that, users expect to see the lock (and https) on the page with
the login form. I'd be leery of any site that contained a
username/password that was not contained within a secure page. Plus
there's no good reason not to secure the login form's page.
Paul B. (Guest)
on 2009-06-08 23:08
Robert W. wrote:
> Aaron T. wrote:

> Besides that, users expect to see the lock (and https) on the page with
> the login form. I'd be leery of any site that contained a
> username/password that was not contained within a secure page. Plus
> there's no good reason not to secure the login form's page.

A strong reason. I say the same. I hesitate if I don't see the lock and
https.
This topic is locked and can not be replied to.