Password fields and security?


#1

Hi all

I wanted to ask why Rails’ password_field helper uses the input password
as default value when reloading a form because of errors? Isn’t this a
potential security leak? On any other webs I’ve seen so far the password
fields have to be filled in again after every reload of the site so the
password doesn’t exist in plain text in the html code…

What do you think about that?
Greets, Josh


#2

Questionable whether this should be a framework thing or controlled by
the
programmer. I think I would rather have control over it then have it
imposed
on me. Better yet, maybe a password field could recognize a
:reset_on_error
attribute or something similar.

Submit a patch and see how it goes.

Bob S.


#3

And a single line in the controller:

self.password = ‘’

is less simple?


– Tom M.


#4

On Jan 24, 2006, at 11:22 AM, Tom M. wrote:

And a single line in the controller:

self.password = ‘’

is less simple?

Oops, make that

@object.password = ‘’

I hate it when I need to reply to myself. :slight_smile:


– Tom M.


#5

On 1/24/06, Tom M. removed_email_address@domain.invalid wrote:

@object.password = ‘’

I hate it when I need to reply to myself. :slight_smile:

Same level of simplicity. It just depends on whether or not you think
that it belongs in the controller instead of the view.

– James


#6

On 1/24/06, Bob S. removed_email_address@domain.invalid wrote:

Questionable whether this should be a framework thing or controlled by the
programmer. I think I would rather have control over it then have it imposed
on me. Better yet, maybe a password field could recognize a :reset_on_error
attribute or something similar.

For reference, the Struts tag html:password has an attribute called
“redisplay” that defaults to true. Makes it easy for the developer to
decide how he wants the field to behave, and seemed like a pretty
simple solution.

– James