Rails - Sep 2009 - A security related question

Hi,

I''m running restful_authentication plugin on my projects.
When we login to the app the contents for the form that the login sends
are clearly available for anyone sniffing traffic. For example locally I
can see that the form sends:

authenticity_token=TEzCRYvzJbioHD3rpt3VuWHkl4rmrngRn3V%2BjCM9qz4%3D&login=user1&password=pass1&mobile=false&commit=Log+In

So the username and password can be seen there.

I know https would hide that, also the token is needed for anyone to use
those credentials later.

But, how can this be considered secure?
This is not directly related to restful_authentication plugin, common
issue with any other forms.

Cheers.
-- 
Posted via http://www.ruby-forum.com/.

Hi
   In application controller you can say like for example

filter_parameter_logging :password     (where password is the field 
name)

 This  the /password/i will be replaced by the value "[FILTERED]"


Sijo
-- 
Posted via http://www.ruby-forum.com/.

Hi Sijo,

Thanks for the reply. Yes I forgot to mention that one. But 
ilter_parameter_logging will filter it in the server logs. My concern is 
before getting that to the server, it goes straight from the browser in 
this form:

authenticity_token=TEzCRYvzJbioHD3rpt3VuWHkl4rmrngRn3V%2BjCM9qz4%3D&login=user1&password=pass1&mobile=false&commit=Log+In

I guess this is where HTTPS takes the stage...

Regards
-- 
Posted via http://www.ruby-forum.com/.

Yes you are right
-- 
Posted via http://www.ruby-forum.com/.