By default, all the paramaters are displayed in the production.log on a
POST.
Unfortunately, this includes all the plain-text passwords that people
type
into the login form on my application, which is a huge security risk.
I’m
using a custom evaluation system that hooks into LDAP (not any of the
generators/plugins).
def login
RAILS_DEFAULT_LOGGER.info “Attempting to authenticate user
‘#{params[:login]}’”
RAILS_DEFAULT_LOGGER.silence do
# however you’re doing the authentication…, e.g.
user = User.authenticate_somehow(params[:login],
params[:cleartext_password_or_whatever])
end
RAILS_DEFAULT_LOGGER.info “Login failed!” if user.nil?
# … and then whatever else you need to do.
end
For extra credit, you can even make the silencing ONLY happen when
RAILS_ENV == ‘production’.