Hey I'm new so I don't know if this is a stupid question, but I
implemented this tutorial from the rails recipe book "Chapter 31 -
Authentication", that shows you how to create user login using a hash +
salt. I followed the steps tried it out and it works.
I decided to look into my development.log files and I can see the log
files are wirtting the passwords in the clear. Is this bad? I'm
thinking this is.
If this is BAD does anyone know how I can modify that rails recipe so
it doesn't write it into the development.log
So I want to know is it good practice for development that we see
everything, but for production we should filter it?
Should you filter more stuff then the username and password? Should
actions be filtered? It is a log file, I more concerned how much of a
security risk is it and what best practices are there?
There are a lot of people who are buying this book and probably going
to use that recipe "as is". It would be good to notify the author and
let him know in the next release you should update that recipe and
include:
In production mode most people only log errors or warnings. This by itself takes care of the problem. I’m sure the author of ‘Recipes’ is highly aware of that.
I'm sure the author is well aware of this, it's more of the noobs who
will take this recipe as is. As you learn stuff you tend to take things
as is, but understanding the "risks" involved and some possible
solutions "filter_parameter_logging" to fix them are important steps in
learning.