Forum: Ruby on Rails Password fields and security?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Joshua M. (Guest)
on 2006-01-24 17:35
Hi all

I wanted to ask why Rails' password_field helper uses the input password
as default value when reloading a form because of errors? Isn't this a
potential security leak? On any other webs I've seen so far the password
fields have to be filled in again after every reload of the site so the
password doesn't exist in plain text in the html code...

What do you think about that?
Greets, Josh
Bob S. (Guest)
on 2006-01-24 18:19
(Received via mailing list)
Questionable whether this should be a framework thing or controlled by
the
programmer. I think I would rather have control over it then have it
imposed
on me. Better yet, maybe a password field could recognize a
:reset_on_error
attribute or something similar.

Submit a patch and see how it goes.

Bob S.
James L. (Guest)
on 2006-01-24 18:40
(Received via mailing list)
On 1/24/06, Bob S. <removed_email_address@domain.invalid> wrote:
> Questionable whether this should be a framework thing or controlled by the
> programmer. I think I would rather have control over it then have it imposed
> on me. Better yet, maybe a password field could recognize a :reset_on_error
> attribute or something similar.

For reference, the Struts tag html:password has an attribute called
"redisplay" that defaults to true.  Makes it easy for the developer to
decide how he wants the field to behave, and seemed like a pretty
simple solution.

-- James
Tom M. (Guest)
on 2006-01-24 21:22
(Received via mailing list)
And a single line in the controller:

self.password = ''

is less simple?

--
-- Tom M.
Tom M. (Guest)
on 2006-01-24 21:28
(Received via mailing list)
On Jan 24, 2006, at 11:22 AM, Tom M. wrote:

> And a single line in the controller:
>
> self.password = ''
>
> is less simple?

Oops, make that

@object.password = ''

I hate it when I need to reply to myself. :-)

--
-- Tom M.
James L. (Guest)
on 2006-01-24 21:52
(Received via mailing list)
On 1/24/06, Tom M. <removed_email_address@domain.invalid> wrote:
> @object.password = ''
>
> I hate it when I need to reply to myself. :-)

Same level of simplicity.  It just depends on whether or not you think
that it belongs in the controller instead of the view.

-- James
This topic is locked and can not be replied to.