By default, all the paramaters are displayed in the production.log on a POST. Unfortunately, this includes all the plain-text passwords that people type into the login form on my application, which is a huge security risk. I''m using a custom evaluation system that hooks into LDAP (not any of the generators/plugins). View code is simple: <%= text_field ''employee'', ''login'', :size => 20 %> ... <%= password_field ''employee'', ''password'', :size => 20 %> Any ideas on how to stop the passwords from being logged when the login page is submitted? Thanks, Ken
Brian Hogan
2006-Feb-24 19:35 UTC
[Rails] Plain text passwords displayed in production.log
Yes... read the docs on the logger... in production/environment.rb you can set the output level of your logger. I don''t remember it offhand though. On 2/24/06, Ken Pratt <ken@kenpratt.net> wrote:> > By default, all the paramaters are displayed in the production.log on a > POST. > > Unfortunately, this includes all the plain-text passwords that people type > into the login form on my application, which is a huge security risk. I''m > using a custom evaluation system that hooks into LDAP (not any of the > generators/plugins). > > View code is simple: > <%= text_field ''employee'', ''login'', :size => 20 %> > ... > <%= password_field ''employee'', ''password'', :size => 20 %> > > Any ideas on how to stop the passwords from being logged when the login > page > is submitted? > > Thanks, > > Ken > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060224/56d91fb5/attachment.html
Jeremy Evans
2006-Feb-24 21:22 UTC
[Rails] Plain text passwords displayed in production.log
On 2/24/06, Ken Pratt <ken@kenpratt.net> wrote:> Any ideas on how to stop the passwords from being logged when the login page > is submitted?Try the Filter Logged Parameters plugin: http://wiki.rubyonrails.org/rails/pages/Filter+Logged+Params+Plugin
Ezra Zygmuntowicz
2006-Feb-24 21:59 UTC
[Rails] Plain text passwords displayed in production.log
In your environment.rb inside the config block you need to uncomment
and set your log level like this:
config.log_level = :warn
Cheers-
-Ezra
On Feb 24, 2006, at 11:34 AM, Brian Hogan wrote:
> Yes... read the docs on the logger... in production/environment.rb
> you can set the output level of your logger. I don''t remember it
> offhand though.
>
> On 2/24/06, Ken Pratt <ken@kenpratt.net> wrote:By default, all the
> paramaters are displayed in the production.log on a POST.
>
> Unfortunately, this includes all the plain-text passwords that
> people type
> into the login form on my application, which is a huge security
> risk. I''m
> using a custom evaluation system that hooks into LDAP (not any of the
> generators/plugins).
>
> View code is simple:
> <%= text_field ''employee'', ''login'',
:size => 20 %>
> ...
> <%= password_field ''employee'',
''password'', :size => 20 %>
>
> Any ideas on how to stop the passwords from being logged when the
> login page
> is submitted?
>
> Thanks,
>
> Ken
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
-Ezra Zygmuntowicz
Yakima Herald-Republic
WebMaster
http://yakimaherald.com
509-577-7732
ezra@yakima-herald.com
Ken Pratt
2006-Feb-24 23:03 UTC
[Rails] Re: Plain text passwords displayed in production.log
Thanks Ezra. Although I''d still like the transaction log, that will do until I have time to test out the Plugin that Jeremy suggested. -Ken
James Adam
2006-Feb-25 02:24 UTC
[Rails] Re: Plain text passwords displayed in production.log
How about, in your controller:
def login
RAILS_DEFAULT_LOGGER.info "Attempting to authenticate user
''#{params[:login]}''"
RAILS_DEFAULT_LOGGER.silence do
# however you''re doing the authentication..., e.g.
user = User.authenticate_somehow(params[:login],
params[:cleartext_password_or_whatever])
end
RAILS_DEFAULT_LOGGER.info "Login failed!" if user.nil?
# ... and then whatever else you need to do.
end
For extra credit, you can even make the silencing ONLY happen when
RAILS_ENV == ''production''.
- james
On 2/24/06, Ken Pratt <ken@kenpratt.net> wrote:> Thanks Ezra. Although I''d still like the transaction log, that
will do until I
> have time to test out the Plugin that Jeremy suggested.
>
> -Ken
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
--
* J *
~