Forum: Ruby on Rails SSL before or after submit?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
3275da7fdbd73cb4e7956fd0d29164de?d=identicon&s=25 Paul Bergstrom (palb)
on 2009-06-08 14:02
A general question regarding SSL and login. Does it matter if a login
form is not passed through SSL when sent to the user browser but the
post action is? Will the password be sent through SSL in this case?
3b1756d05466b4a78afd9aea7bb845c2?d=identicon&s=25 Aaron Turner (Guest)
on 2009-06-08 19:04
(Received via mailing list)
2009/6/8 Pål Bergström <rails-mailing-list@andreas-s.net>:
>
> A general question regarding SSL and login. Does it matter if a login
> form is not passed through SSL when sent to the user browser but the
> post action is? Will the password be sent through SSL in this case?

Both need to be wrapped in SSL for proper security.  If the form is
not SSL then people can do MITM attacks (among others) to get the
username/password sent to the wrong server.


--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
Those who would give up essential Liberty, to purchase a little
temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
3275da7fdbd73cb4e7956fd0d29164de?d=identicon&s=25 Paul Bergstrom (palb)
on 2009-06-08 19:10
Aaron Turner wrote:

> Both need to be wrapped in SSL for proper security.  If the form is
> not SSL then people can do MITM attacks (among others) to get the
> username/password sent to the wrong server.
>
>

Thanks for the clarification. :-)
280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2009-06-08 20:20
Aaron Turner wrote:
> 2009/6/8 P�l Bergstr�m <rails-mailing-list@andreas-s.net>:
>>
>> A general question regarding SSL and login. Does it matter if a login
>> form is not passed through SSL when sent to the user browser but the
>> post action is? Will the password be sent through SSL in this case?
>
> Both need to be wrapped in SSL for proper security.  If the form is
> not SSL then people can do MITM attacks (among others) to get the
> username/password sent to the wrong server.
>
Besides that, users expect to see the lock (and https) on the page with
the login form. I'd be leery of any site that contained a
username/password that was not contained within a secure page. Plus
there's no good reason not to secure the login form's page.
3275da7fdbd73cb4e7956fd0d29164de?d=identicon&s=25 Paul Bergstrom (palb)
on 2009-06-08 21:08
Robert Walker wrote:
> Aaron Turner wrote:

> Besides that, users expect to see the lock (and https) on the page with
> the login form. I'd be leery of any site that contained a
> username/password that was not contained within a secure page. Plus
> there's no good reason not to secure the login form's page.

A strong reason. I say the same. I hesitate if I don't see the lock and
https.
This topic is locked and can not be replied to.