A security related question

comopasta · September 20, 2009, 10:46pm

Hi,

I’m running restful_authentication plugin on my projects.
When we login to the app the contents for the form that the login sends
are clearly available for anyone sniffing traffic. For example locally I
can see that the form sends:

authenticity_token=TEzCRYvzJbioHD3rpt3VuWHkl4rmrngRn3V%2BjCM9qz4%3D&login=user1&password=pass1&mobile=false&commit=Log+In

So the username and password can be seen there.

I know https would hide that, also the token is needed for anyone to use
those credentials later.

But, how can this be considered secure?
This is not directly related to restful_authentication plugin, common
issue with any other forms.

Cheers.

comopasta · September 21, 2009, 8:16am

Hi
In application controller you can say like for example

filter_parameter_logging :password (where password is the field
name)

This the /password/i will be replaced by the value “[FILTERED]”

Sijo

comopasta · September 21, 2009, 10:00am

Hi Sijo,

Thanks for the reply. Yes I forgot to mention that one. But
ilter_parameter_logging will filter it in the server logs. My concern is
before getting that to the server, it goes straight from the browser in
this form:

authenticity_token=TEzCRYvzJbioHD3rpt3VuWHkl4rmrngRn3V%2BjCM9qz4%3D&login=user1&password=pass1&mobile=false&commit=Log+In

I guess this is where HTTPS takes the stage…

Regards

comopasta · September 21, 2009, 11:24am

Yes you are right