Unencrypted Password Appears in Log


#1

I have a requirement to authenticate my app users through Active
Directory. My login form captures a user’s ID and password and passes
them to a net/ldap routine. I’m using form_for…|form| to create
the form and form.password_field to create the password field. The
password entry is encrypted on the screen but appears unencrypted in
the development log in the params listing.

What can I do to keep the unencrypted password from appearing in the
log?

Thanks,

Mike


#2

Hi Mike,

imdwalrus wrote:

What can I do to keep the unencrypted password from
appearing in the log?

I have a requirement to filter all user input from my logs, so this
isn’t
specific to passwords. This’ll get you in the ballpark, though.

Inside application.rb, outside the methods

if %w(production).include?(ENV[‘RAILS_ENV’])
filter_parameter_logging { |k,v| v.replace ‘’ unless k ==
‘controller’ or
k == ‘action’}
end

hth,
Bill


#3

Use filter_parameter_logging:

http://api.rubyonrails.org/classes/ActionController/Base.html#M000260

You can stick this in your ApplicationController, or do it on a per-
controller basis.

Chris


#4

Thanks, Bill. I really appreciate your help.


#5

That’s perfect, Chris. Thanks so much for taking the time to help me.

– Mike