By default, all the paramaters are displayed in the production.log on a POST. Unfortunately, this includes all the plain-text passwords that people type into the login form on my application, which is a huge security risk. I''m using a custom evaluation system that hooks into LDAP (not any of the generators/plugins). View code is simple: <%= text_field ''employee'', ''login'', :size => 20 %> ... <%= password_field ''employee'', ''password'', :size => 20 %> Any ideas on how to stop the passwords from being logged when the login page is submitted? Thanks, Ken
Brian Hogan
2006-Feb-24 19:35 UTC
[Rails] Plain text passwords displayed in production.log
Yes... read the docs on the logger... in production/environment.rb you can set the output level of your logger. I don''t remember it offhand though. On 2/24/06, Ken Pratt <ken@kenpratt.net> wrote:> > By default, all the paramaters are displayed in the production.log on a > POST. > > Unfortunately, this includes all the plain-text passwords that people type > into the login form on my application, which is a huge security risk. I''m > using a custom evaluation system that hooks into LDAP (not any of the > generators/plugins). > > View code is simple: > <%= text_field ''employee'', ''login'', :size => 20 %> > ... > <%= password_field ''employee'', ''password'', :size => 20 %> > > Any ideas on how to stop the passwords from being logged when the login > page > is submitted? > > Thanks, > > Ken > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060224/56d91fb5/attachment.html
Jeremy Evans
2006-Feb-24 21:22 UTC
[Rails] Plain text passwords displayed in production.log
On 2/24/06, Ken Pratt <ken@kenpratt.net> wrote:> Any ideas on how to stop the passwords from being logged when the login page > is submitted?Try the Filter Logged Parameters plugin: http://wiki.rubyonrails.org/rails/pages/Filter+Logged+Params+Plugin
Ezra Zygmuntowicz
2006-Feb-24 21:59 UTC
[Rails] Plain text passwords displayed in production.log
In your environment.rb inside the config block you need to uncomment and set your log level like this: config.log_level = :warn Cheers- -Ezra On Feb 24, 2006, at 11:34 AM, Brian Hogan wrote:> Yes... read the docs on the logger... in production/environment.rb > you can set the output level of your logger. I don''t remember it > offhand though. > > On 2/24/06, Ken Pratt <ken@kenpratt.net> wrote:By default, all the > paramaters are displayed in the production.log on a POST. > > Unfortunately, this includes all the plain-text passwords that > people type > into the login form on my application, which is a huge security > risk. I''m > using a custom evaluation system that hooks into LDAP (not any of the > generators/plugins). > > View code is simple: > <%= text_field ''employee'', ''login'', :size => 20 %> > ... > <%= password_field ''employee'', ''password'', :size => 20 %> > > Any ideas on how to stop the passwords from being logged when the > login page > is submitted? > > Thanks, > > Ken > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails-Ezra Zygmuntowicz Yakima Herald-Republic WebMaster http://yakimaherald.com 509-577-7732 ezra@yakima-herald.com
Ken Pratt
2006-Feb-24 23:03 UTC
[Rails] Re: Plain text passwords displayed in production.log
Thanks Ezra. Although I''d still like the transaction log, that will do until I have time to test out the Plugin that Jeremy suggested. -Ken
James Adam
2006-Feb-25 02:24 UTC
[Rails] Re: Plain text passwords displayed in production.log
How about, in your controller: def login RAILS_DEFAULT_LOGGER.info "Attempting to authenticate user ''#{params[:login]}''" RAILS_DEFAULT_LOGGER.silence do # however you''re doing the authentication..., e.g. user = User.authenticate_somehow(params[:login], params[:cleartext_password_or_whatever]) end RAILS_DEFAULT_LOGGER.info "Login failed!" if user.nil? # ... and then whatever else you need to do. end For extra credit, you can even make the silencing ONLY happen when RAILS_ENV == ''production''. - james On 2/24/06, Ken Pratt <ken@kenpratt.net> wrote:> Thanks Ezra. Although I''d still like the transaction log, that will do until I > have time to test out the Plugin that Jeremy suggested. > > -Ken > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- * J * ~