How to obscure/encrypt password parameter?

Hi all-

I am building an application that includes a login screen. During
development I found that user passwords are logged by Rails in plain
text – this will not be acceptable to my users. Is there a way to
obscure/encrypt incoming password parameters or not write them to the
log files at all? One thought was to use Javascript, but I was not sure
how secure that would be.

Thanks,
Josh

From the Rails WIKI

http://wiki.rubyonrails.com/rails/pages/HowtoAuthenticate

Q: Don’t plain-text passwords still show up in the access log files as
part
of the POST requests? Anyone know how to prevent that?

A: Yes, post data shows up in log files including passwords. To prevent
this
adjust your logging level:

RAILS_DEFAULT_LOGGER.level = Logger::WARN

A: I also ran into this problem. Rather than just change the log level
everywhere, I wanted to only increase it around controller actions that
dealt with passwords. Additionally, the default logging level for
development is Logger::DEBUG, but for production it’s Logger::INFO.

So what I did was add two methods to my login controller:
def upgrade_logging RAILS_DEFAULT_LOGGER.level = Logger::WARN end def
restore_logging if ENV[‘RAILS_ENV’] == “production”
RAILS_DEFAULT_LOGGER.level = Logger::INFO elsif ENV[‘RAILS_ENV’] ==
“development” RAILS_DEFAULT_LOGGER.level = Logger::DEBUG end end

and then setup before_filters to call them around my sensitive actions:
before_filter :upgrade_logging,
:except=>[:home_page,:logout,:list_users,:delete_user] before_filter
:restore_logging,
:except=>[:add_user,:login,:change_password,:reset_password]

If you still want to see other request parameters but not passwords,
check
out this patch:

http://dev.rubyonrails.org/ticket/1897

I noticed this is already applied to the HEAD, so check out edge rails
if
you don’t want to do the work yourself.

Thanks for the information, but the latter suggestion would not seem to
work. Logging of parameters is done by Rails code that is executed
before it reaches my application code (e.g. prior to the before_filter
being called), so the parameters still appear in the log. The first
method below eliminates the logging of some valuable information.

Although I would prefer not to need to modify the Rails source code, it
seems that the second response to my posting would be the most
preferable.

Thanks!

Brian H. wrote:

From the Rails WIKI

http://wiki.rubyonrails.com/rails/pages/HowtoAuthenticate

Q: Don’t plain-text passwords still show up in the access log files as
part
of the POST requests? Anyone know how to prevent that?

A: Yes, post data shows up in log files including passwords. To prevent
this
adjust your logging level:

RAILS_DEFAULT_LOGGER.level = Logger::WARN

A: I also ran into this problem. Rather than just change the log level
everywhere, I wanted to only increase it around controller actions that
dealt with passwords. Additionally, the default logging level for
development is Logger::DEBUG, but for production it’s Logger::INFO.

So what I did was add two methods to my login controller:
def upgrade_logging RAILS_DEFAULT_LOGGER.level = Logger::WARN end def
restore_logging if ENV[‘RAILS_ENV’] == “production”
RAILS_DEFAULT_LOGGER.level = Logger::INFO elsif ENV[‘RAILS_ENV’] ==
“development” RAILS_DEFAULT_LOGGER.level = Logger::DEBUG end end

and then setup before_filters to call them around my sensitive actions:
before_filter :upgrade_logging,
:except=>[:home_page,:logout,:list_users,:delete_user] before_filter
:restore_logging,
:except=>[:add_user,:login,:change_password,:reset_password]

Don’t mean to be a pest, but the patch[1] and corresponding changeset
4200[2] address your specific problem from the core api. If the other
suggestion works for you, great but I don’t want you to have incorrect
information.

[1] http://dev.rubyonrails.org/ticket/1897
[2] http://dev.rubyonrails.org/changeset/4200

I was actually just looking at that changeset. At first it seemed that
the change should be in the latest version of Rails (1.1.4), but per
this note on the blog, it will not be included until v1.2:


http://weblog.rubyonrails.org/2006/4/9/rails-1-1-2-tiny-fix-for-gems-dependencies

filter_parameter_logging is a new feature, thus its slated for 1.2.0.
New releases in the Rails 1.1.x line will only contain bug fixes.

Benjamin – is there another way to get the plugin? I have not been
able to reach the subversion server listed in the link you provided
above.

Nevermind, I was able to find the plugin at
http://suven.no-ip.org/filter_logged_params.tar.gz.

-Josh

There is also the plugin version (http://agilewebdevelopment.com/
plugins/filter_logged_params) for older version of Rails.


Benjamin C.
http://www.bencurtis.com/
http://www.tesly.com/ – Collaborative test case management
http://www.agilewebdevelopment.com/ – Resources for the Rails community

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs