CODEWITHSUNDEEP
ruby-on-rails
user1455116
user1455116

Reputation: 2144

Ruby on rails Password is visible in url as parameter

I have an initial login screen where we can enter a "username" and "password". I have four views and I am using the "username" and "password" entered in the first login view to establish an SSH connection in the fourth view.

To pass and use the username and password, I'm passing them through a hidden_field_tag in all these views, and when we click on the submit button, these hidden field values are passed to the second view.

All these submits are get requests.

The username and passwords are appearing in the URL as I am passing them as parameters. If I use a post request instead of a get, the page expires when I click on the back button in my browser.

Is there anyway to hide/encrypt those parameters in the URL?

Thanks.

Upvotes: 0

Views: 1110

Answers (4)

Scott Schulthess
Scott Schulthess

Reputation: 2923

What's wrong with the page expiring when you hit the back button? Seems fine to me. You often can't login to something then hit the back button to return to the page - google for example. Use post.

Upvotes: 0

Matt
Matt

Reputation: 14038

You really shouldn't be passing the username and password as GET requests. I would recommend instead having another form button to go back in the 4-step process so that the whole process is done by POST whichever direction you are travelling, this would also ensure the user doesn't lose data when going to a previous page.

<%= form.submit 'Previous Step' %>
<%= form.submit 'Next Step' %>

Controller:

if params[:commit] == "Next Step" 
  object.update_attributes(params[:item])
  <..logic..>
end

Upvotes: 0

Travis Pessetto
Travis Pessetto

Reputation: 3298

You really shouldn't be passing the username and password as a get request. If you don't want the page to expire as a post, I suppose what you could do something which would send the username and password via AJAX post request and the rest with a get request.

Upvotes: 0

Adam O&#39;Connor
Adam O&#39;Connor

Reputation: 2652

I don't think you're going to be able to hide them as we know GET exposes the params. I'm wondering if you can store them in the session instead? I don't know what you're doing off hand but the logic seems a bit opaque. Maybe you can re-think the logic into more of a common pattern. Good luck!

Upvotes: 1

Related Questions