If i use restful_authentication in my ruby on rails app are passwords transfered between the broswer and the server in paintext? And if so how worried should I be about it?
+2
A:
Well, you need to be worried if you are not hosting it over HTTPS... because if it is straight HTTP, then yes it is being passed in plaintext.
I don't know Rails specifically, but I'm pretty sure it has nothing to do with whether you host it via HTTP or HTTPS.
Edit: I found this link which apparently provides an example Rails app over HTTPS.
Further Edit: Here is another link discussing HTTPS with Rails.
Mike Stone
2008-09-10 06:26:31
Here's two helpful links:http://railscasts.com/episodes/67http://wiki.rubyonrails.org/rails/pages/restful_authenticationI'd link them but right now everything in comments appear to be escaped out.
Chris Bunch
2008-09-10 07:05:31
A:
Authentication with plain text can be done with CHAP style protocols. Is that possible over HTTP?
I'm asking, because I think that it would need some state on the server to foil replay-attacks - state on the server is something to be eliminated with RESTful architectures, right?
Daren Thomas
2008-09-10 06:27:46
+2
A:
If you are concerned about the privacy of passwords (and you should be), you will also want to add this line to your ApplicationController:
filter_parameter_logging :password
Otherwise the passwords will end up in plain text in your log files.
matthewgarysmith
2008-10-24 02:27:54