Forum: Ruby on Rails Password fields and security?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Fc582698581884352e745d1d4c64699d?d=identicon&s=25 Joshua Muheim (josh)
on 2006-01-24 16:35
Hi all

I wanted to ask why Rails' password_field helper uses the input password
as default value when reloading a form because of errors? Isn't this a
potential security leak? On any other webs I've seen so far the password
fields have to be filled in again after every reload of the site so the
password doesn't exist in plain text in the html code...

What do you think about that?
Greets, Josh
Af93ba6b6b59f22a8f37e8de5702ef98?d=identicon&s=25 Bob Silva (Guest)
on 2006-01-24 17:19
(Received via mailing list)
Questionable whether this should be a framework thing or controlled by
the
programmer. I think I would rather have control over it then have it
imposed
on me. Better yet, maybe a password field could recognize a
:reset_on_error
attribute or something similar.

Submit a patch and see how it goes.

Bob Silva
119af50160cabfe1fb6f2f05f5018c64?d=identicon&s=25 James Ludlow (Guest)
on 2006-01-24 17:40
(Received via mailing list)
On 1/24/06, Bob Silva <me@bobsilva.com> wrote:
> Questionable whether this should be a framework thing or controlled by the
> programmer. I think I would rather have control over it then have it imposed
> on me. Better yet, maybe a password field could recognize a :reset_on_error
> attribute or something similar.

For reference, the Struts tag html:password has an attribute called
"redisplay" that defaults to true.  Makes it easy for the developer to
decide how he wants the field to behave, and seemed like a pretty
simple solution.

-- James
59de94a56fd2c198f33d9515d1c05961?d=identicon&s=25 Tom Mornini (Guest)
on 2006-01-24 20:22
(Received via mailing list)
And a single line in the controller:

self.password = ''

is less simple?

--
-- Tom Mornini
59de94a56fd2c198f33d9515d1c05961?d=identicon&s=25 Tom Mornini (Guest)
on 2006-01-24 20:28
(Received via mailing list)
On Jan 24, 2006, at 11:22 AM, Tom Mornini wrote:

> And a single line in the controller:
>
> self.password = ''
>
> is less simple?

Oops, make that

@object.password = ''

I hate it when I need to reply to myself. :-)

--
-- Tom Mornini
119af50160cabfe1fb6f2f05f5018c64?d=identicon&s=25 James Ludlow (Guest)
on 2006-01-24 20:52
(Received via mailing list)
On 1/24/06, Tom Mornini <tmornini@infomania.com> wrote:
> @object.password = ''
>
> I hate it when I need to reply to myself. :-)

Same level of simplicity.  It just depends on whether or not you think
that it belongs in the controller instead of the view.

-- James
This topic is locked and can not be replied to.