Rails - Jan 2007 - Rails Recipe 31 - Authenticatin Users Logs Reveals Passwords

Hey I''m new so I don''t know if this is a stupid question, but
I
implemented this tutorial from the rails recipe book "Chapter 31 -
Authentication", that shows you how to create user login using a hash +
salt. I followed the steps tried it out and it works.

I decided to look into my development.log files and I can see the log
files are wirtting the passwords in the clear. Is this bad? I''m
thinking this is.

If this is BAD does anyone know how I can modify that rails recipe so
it doesn''t write it into the development.log

--------------------------------------------------
Example log entry
--------------------------------------------------
Processing AdminController#signin (for 127.0.0.1 at 2006-12-30
22:16:35) [POST]
  Session ID: b290bf59fce1ff0e1a9520aa4e15ccfb
  Parameters: {"commit"=>"Sign In",
"username"=>"testuser",
"action"=>"signin",
"controller"=>"admin",
"password"=>"password"}
--------------------------------------------------


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

To prevent any parameter from being logged you can add a line to your
controller like this:

filter_parameter_logging :password, :user    #won''t log password or
user

So if you put this in your ApplicationController you won''t get this
logged in any controller.
http://api.rubyonrails.com/classes/ActionController/Base.html#M000201


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

How do you use this filtering in the default runtime exception page?


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hey Thanks for the tip on "filtering".

So I want to know is it good practice for development that we see
everything, but for production we should filter it?

Should you filter more stuff then the username and password? Should
actions be filtered? It is a log file, I more concerned how much of a
security risk is it and what best practices are there?

There are a lot of people who are buying this book and probably going
to use that recipe "as is". It would be good to notify the author and
let him know in the next release you should update that recipe and
include:

filter_parameter_logging

Thanks for your response!


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi, I would highly recommend sending the author of this book an e-mail
so that it can be updated in the PDF as well as future releases.

-Conrad


On 1/5/07, newbie <alen198-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> Hey I''m new so I don''t know if this is a stupid question,
but I
> implemented this tutorial from the rails recipe book "Chapter 31 -
> Authentication", that shows you how to create user login using a hash
+
> salt. I followed the steps tried it out and it works.
>
> I decided to look into my development.log files and I can see the log
> files are wirtting the passwords in the clear. Is this bad? I''m
> thinking this is.
>
> If this is BAD does anyone know how I can modify that rails recipe so
> it doesn''t write it into the development.log
>
> --------------------------------------------------
> Example log entry
> --------------------------------------------------
> Processing AdminController#signin (for 127.0.0.1 at 2006-12-30
> 22:16:35) [POST]
>   Session ID: b290bf59fce1ff0e1a9520aa4e15ccfb
>   Parameters: {"commit"=>"Sign In",
"username"=>"testuser",
> "action"=>"signin",
"controller"=>"admin",
"password"=>"password"}
> --------------------------------------------------
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

In production mode most people only log errors or warnings. This by itself
takes care of the problem. I''m sure the author of
''Recipes'' is highly aware
of that.

On 1/6/07, Conrad Taylor
<conradwt-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
>
> Hi, I would highly recommend sending the author of this book an e-mail
> so that it can be updated in the PDF as well as future releases.
>
> -Conrad
>
>
> On 1/5/07, newbie <alen198-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> >
> > Hey I''m new so I don''t know if this is a stupid
question, but I
> > implemented this tutorial from the rails recipe book "Chapter 31
-
> > Authentication", that shows you how to create user login using a
hash +
> > salt. I followed the steps tried it out and it works.
> >
> > I decided to look into my development.log files and I can see the log
> > files are wirtting the passwords in the clear. Is this bad?
I''m
> > thinking this is.
> >
> > If this is BAD does anyone know how I can modify that rails recipe so
> > it doesn''t write it into the development.log
> >
> > --------------------------------------------------
> > Example log entry
> > --------------------------------------------------
> > Processing AdminController#signin (for 127.0.0.1 at 2006-12-30
> > 22:16:35) [POST]
> >   Session ID: b290bf59fce1ff0e1a9520aa4e15ccfb
> >   Parameters: {"commit"=>"Sign In",
"username"=>"testuser",
> > "action"=>"signin",
"controller"=>"admin",
"password"=>"password"}
> > --------------------------------------------------
> >
> >
> > >
> >
>
> >
>

-- 
--------------------
seth at subimage interactive
-----
http://www.subimage.com
http://sublog.subimage.com
-----
http://www.getcashboard.com
http://dev.subimage.com/projects/substruct

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I''m sure the author is well aware of this, it''s more of the
noobs who
will take this recipe as is. As you learn stuff you tend to take things
as is, but understanding the "risks" involved and some possible
solutions "filter_parameter_logging" to fix them are important steps
in
learning.

Thanks for the feedback


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---