A security related question

Hi,

I’m running restful_authentication plugin on my projects.
When we login to the app the contents for the form that the login sends
are clearly available for anyone sniffing traffic. For example locally I
can see that the form sends:

authenticity_token=TEzCRYvzJbioHD3rpt3VuWHkl4rmrngRn3V%2BjCM9qz4%3D&login=user1&password=pass1&mobile=false&commit=Log+In

So the username and password can be seen there.

I know https would hide that, also the token is needed for anyone to use
those credentials later.

But, how can this be considered secure?
This is not directly related to restful_authentication plugin, common
issue with any other forms.

Cheers.

Hi
In application controller you can say like for example

filter_parameter_logging :password (where password is the field
name)

This the /password/i will be replaced by the value “[FILTERED]”

Sijo

Hi Sijo,

Thanks for the reply. Yes I forgot to mention that one. But
ilter_parameter_logging will filter it in the server logs. My concern is
before getting that to the server, it goes straight from the browser in
this form:

authenticity_token=TEzCRYvzJbioHD3rpt3VuWHkl4rmrngRn3V%2BjCM9qz4%3D&login=user1&password=pass1&mobile=false&commit=Log+In

I guess this is where HTTPS takes the stage…

Regards

Yes you are right

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs