Reputation: 115362
Rails' form_tag helper doesn't submit using HTTPS?
I want to protect the login form of my Rails application using HTTPS. After a bit of a uphill struggle I now have the SSL certificate installed and Apache/Passenger set up correctly.
My application uses SSL Requirement and RESTful Authentication in combination for the login form. I've noticed using Firebug that the login credentials are still sent in the clear. How can I make the Rails form_tag helper submit the form over HTTPS? I couldn't see anything about this in the docs.
EDIT: I did some more research and edited my routes file so that the session controller uses HTTPS:
map.resource :session, :controller => 'session',
:only => [:new, :create, :destroy],
:requirements => { :protocol => 'https' }
I also changed the login form to use session_url instead of session_path:
<% form_tag session_url do %>
.
.
.
<% end %>
—This is correctly using a full https:// URL as the action for the generated form element, but I can still sniff the user name and password using Firebug. What's going on?!
Thanks.
Upvotes: 0
Views: 1433
Answers (2)
Reputation: 1794
Since Firebug is an extension inside Firefox it probably sees the request data before it gets encrypted. If you want to test this properly you should use a tool outside of Firefox.
Upvotes: 2
Reputation: 11811
<%= form_for user, {:url => https_path} do %>
...
<% end %>
Upvotes: 3
Related Questions
- Rails _url helper and force_ssl
- Rails forms leading to Mixed Content warning
- Ruby HTTPS Post issue
- how to post to ssl from rails controller
- rails 'form_tag' defaults to POST method but submits with GET method
- How do I tell my rails form to use https?
- Rails form_tag post not working
- POST over HTTPS Ruby on Rails
- Rails: Forcing form tag to use an HTTPS action
- make rails url helpers use the appropriate protocol?