Hi all- I am building an application that includes a login screen. During development I found that user passwords are logged by Rails in plain text -- this will not be acceptable to my users. Is there a way to obscure/encrypt incoming password parameters or not write them to the log files at all? One thought was to use Javascript, but I was not sure how secure that would be. Thanks, Josh -- Posted via http://www.ruby-forum.com/.
>From the Rails WIKIhttp://wiki.rubyonrails.com/rails/pages/HowtoAuthenticate Q: Don''t plain-text passwords still show up in the access log files as part of the POST requests? Anyone know how to prevent that? A: Yes, post data shows up in log files including passwords. To prevent this adjust your logging level: RAILS_DEFAULT_LOGGER.level = Logger::WARN A: I also ran into this problem. Rather than just change the log level everywhere, I wanted to only increase it around controller actions that dealt with passwords. Additionally, the default logging level for development is Logger::DEBUG, but for production it''s Logger::INFO. So what I did was add two methods to my login controller: def upgrade_logging RAILS_DEFAULT_LOGGER.level = Logger::WARN end def restore_logging if ENV[''RAILS_ENV''] == "production" RAILS_DEFAULT_LOGGER.level = Logger::INFO elsif ENV[''RAILS_ENV''] ="development" RAILS_DEFAULT_LOGGER.level = Logger::DEBUG end end and then setup before_filters to call them around my sensitive actions: before_filter :upgrade_logging, :except=>[:home_page,:logout,:list_users,:delete_user] before_filter :restore_logging, :except=>[:add_user,:login,:change_password,:reset_password] On 7/10/06, Josh <jkahn_117@yahoo.com> wrote:> > Hi all- > > I am building an application that includes a login screen. During > development I found that user passwords are logged by Rails in plain > text -- this will not be acceptable to my users. Is there a way to > obscure/encrypt incoming password parameters or not write them to the > log files at all? One thought was to use Javascript, but I was not sure > how secure that would be. > > Thanks, > Josh > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060710/2fa06a87/attachment-0001.html
If you still want to see other request parameters but not passwords, check out this patch: http://dev.rubyonrails.org/ticket/1897 I noticed this is already applied to the HEAD, so check out edge rails if you don''t want to do the work yourself. On 7/10/06, Brian Hogan <bphogan@gmail.com> wrote:> > >From the Rails WIKI > > http://wiki.rubyonrails.com/rails/pages/HowtoAuthenticate > > Q: Don''t plain-text passwords still show up in the access log files as > part of the POST requests? Anyone know how to prevent that? > > A: Yes, post data shows up in log files including passwords. To prevent > this adjust your logging level: > > RAILS_DEFAULT_LOGGER.level = Logger::WARN > > A: I also ran into this problem. Rather than just change the log level > everywhere, I wanted to only increase it around controller actions that > dealt with passwords. Additionally, the default logging level for > development is Logger::DEBUG, but for production it''s Logger::INFO. > > So what I did was add two methods to my login controller: > def upgrade_logging RAILS_DEFAULT_LOGGER.level = Logger::WARN end def > restore_logging if ENV[''RAILS_ENV''] == "production" > RAILS_DEFAULT_LOGGER.level = Logger::INFO elsif ENV[''RAILS_ENV''] => "development" RAILS_DEFAULT_LOGGER.level = Logger::DEBUG end end > > and then setup before_filters to call them around my sensitive actions: > before_filter :upgrade_logging, > :except=>[:home_page,:logout,:list_users,:delete_user] before_filter > :restore_logging, > :except=>[:add_user,:login,:change_password,:reset_password] > > > > On 7/10/06, Josh <jkahn_117@yahoo.com> wrote: > > > > Hi all- > > > > I am building an application that includes a login screen. During > > development I found that user passwords are logged by Rails in plain > > text -- this will not be acceptable to my users. Is there a way to > > obscure/encrypt incoming password parameters or not write them to the > > log files at all? One thought was to use Javascript, but I was not sure > > how secure that would be. > > > > Thanks, > > Josh > > > > -- > > Posted via http://www.ruby-forum.com/. > > _______________________________________________ > > Rails mailing list > > Rails@lists.rubyonrails.org > > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060710/66c3527e/attachment.html
Thanks for the information, but the latter suggestion would not seem to work. Logging of parameters is done by Rails code that is executed before it reaches my application code (e.g. prior to the before_filter being called), so the parameters still appear in the log. The first method below eliminates the logging of some valuable information. Although I would prefer not to need to modify the Rails source code, it seems that the second response to my posting would be the most preferable. Thanks! Brian Hogan wrote:>>From the Rails WIKI > > http://wiki.rubyonrails.com/rails/pages/HowtoAuthenticate > > Q: Don''t plain-text passwords still show up in the access log files as > part > of the POST requests? Anyone know how to prevent that? > > A: Yes, post data shows up in log files including passwords. To prevent > this > adjust your logging level: > > RAILS_DEFAULT_LOGGER.level = Logger::WARN > > A: I also ran into this problem. Rather than just change the log level > everywhere, I wanted to only increase it around controller actions that > dealt with passwords. Additionally, the default logging level for > development is Logger::DEBUG, but for production it''s Logger::INFO. > > So what I did was add two methods to my login controller: > def upgrade_logging RAILS_DEFAULT_LOGGER.level = Logger::WARN end def > restore_logging if ENV[''RAILS_ENV''] == "production" > RAILS_DEFAULT_LOGGER.level = Logger::INFO elsif ENV[''RAILS_ENV''] => "development" RAILS_DEFAULT_LOGGER.level = Logger::DEBUG end end > > and then setup before_filters to call them around my sensitive actions: > before_filter :upgrade_logging, > :except=>[:home_page,:logout,:list_users,:delete_user] before_filter > :restore_logging, > :except=>[:add_user,:login,:change_password,:reset_password]-- Posted via http://www.ruby-forum.com/.
Don''t mean to be a pest, but the patch[1] and corresponding changeset 4200[2] address your specific problem from the core api. If the other suggestion works for you, great but I don''t want you to have incorrect information. [1] http://dev.rubyonrails.org/ticket/1897 [2] http://dev.rubyonrails.org/changeset/4200 On 7/10/06, Josh <jkahn_117@yahoo.com> wrote:> > Thanks for the information, but the latter suggestion would not seem to > work. Logging of parameters is done by Rails code that is executed > before it reaches my application code (e.g. prior to the before_filter > being called), so the parameters still appear in the log. The first > method below eliminates the logging of some valuable information. > > Although I would prefer not to need to modify the Rails source code, it > seems that the second response to my posting would be the most > preferable. > > Thanks! > > Brian Hogan wrote: > >>From the Rails WIKI > > > > http://wiki.rubyonrails.com/rails/pages/HowtoAuthenticate > > > > Q: Don''t plain-text passwords still show up in the access log files as > > part > > of the POST requests? Anyone know how to prevent that? > > > > A: Yes, post data shows up in log files including passwords. To prevent > > this > > adjust your logging level: > > > > RAILS_DEFAULT_LOGGER.level = Logger::WARN > > > > A: I also ran into this problem. Rather than just change the log level > > everywhere, I wanted to only increase it around controller actions that > > dealt with passwords. Additionally, the default logging level for > > development is Logger::DEBUG, but for production it''s Logger::INFO. > > > > So what I did was add two methods to my login controller: > > def upgrade_logging RAILS_DEFAULT_LOGGER.level = Logger::WARN end def > > restore_logging if ENV[''RAILS_ENV''] == "production" > > RAILS_DEFAULT_LOGGER.level = Logger::INFO elsif ENV[''RAILS_ENV''] => > "development" RAILS_DEFAULT_LOGGER.level = Logger::DEBUG end end > > > > and then setup before_filters to call them around my sensitive actions: > > before_filter :upgrade_logging, > > :except=>[:home_page,:logout,:list_users,:delete_user] before_filter > > :restore_logging, > > :except=>[:add_user,:login,:change_password,:reset_password] > > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060710/41140b5e/attachment-0001.html
There is also the plugin version (http://agilewebdevelopment.com/ plugins/filter_logged_params) for older version of Rails. -- Benjamin Curtis http://www.bencurtis.com/ http://www.tesly.com/ -- Collaborative test case management http://www.agilewebdevelopment.com/ -- Resources for the Rails community On Jul 10, 2006, at 8:13 AM, Cuong Tran wrote:> If you still want to see other request parameters but not > passwords, check out this patch: > > http://dev.rubyonrails.org/ticket/1897 > > I noticed this is already applied to the HEAD, so check out edge > rails if you don''t want to do the work yourself. > > > On 7/10/06, Brian Hogan <bphogan@gmail.com> wrote: > >From the Rails WIKI > > http://wiki.rubyonrails.com/rails/pages/HowtoAuthenticate > > Q: Don''t plain-text passwords still show up in the access log files > as part of the POST requests? Anyone know how to prevent that? > > A: Yes, post data shows up in log files including passwords. To > prevent this adjust your logging level: > > RAILS_DEFAULT_LOGGER.level = Logger::WARN > > A: I also ran into this problem. Rather than just change the log > level everywhere, I wanted to only increase it around controller > actions that dealt with passwords. Additionally, the default > logging level for development is Logger::DEBUG, but for production > it''s Logger::INFO. > > So what I did was add two methods to my login controller: > > def upgrade_logging RAILS_DEFAULT_LOGGER.level = Logger::WARN end > def restore_logging if ENV[''RAILS_ENV''] == "production" > RAILS_DEFAULT_LOGGER.level = Logger::INFO elsif ENV[''RAILS_ENV''] == > "development" RAILS_DEFAULT_LOGGER.level = Logger::DEBUG end end > and then setup before_filters to call them around my sensitive > actions: > before_filter :upgrade_logging, :except=> > [:home_page,:logout,:list_users,:delete_user] > before_filter :restore_logging, :except=> > [:add_user,:login,:change_password,:reset_password] > > > > > On 7/10/06, Josh <jkahn_117@yahoo.com > wrote: > Hi all- > > I am building an application that includes a login screen. During > development I found that user passwords are logged by Rails in plain > text -- this will not be acceptable to my users. Is there a way to > obscure/encrypt incoming password parameters or not write them to the > log files at all? One thought was to use Javascript, but I was not > sure > how secure that would be. > > Thanks, > Josh > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060710/83521d7d/attachment.html
I was actually just looking at that changeset. At first it seemed that the change should be in the latest version of Rails (1.1.4), but per this note on the blog, it will not be included until v1.2: ------ http://weblog.rubyonrails.org/2006/4/9/rails-1-1-2-tiny-fix-for-gems-dependencies filter_parameter_logging is a new feature, thus its slated for 1.2.0. New releases in the Rails 1.1.x line will only contain bug fixes. ----- Benjamin -- is there another way to get the plugin? I have not been able to reach the subversion server listed in the link you provided above. -- Posted via http://www.ruby-forum.com/.