Hi, I'm running restful_authentication plugin on my projects. When we login to the app the contents for the form that the login sends are clearly available for anyone sniffing traffic. For example locally I can see that the form sends:
authenticity_token=TEzCRYvzJbioHD3rpt3VuWHkl4rmrngRn3V%2BjCM9qz4%3D&login=user1&password=pass1&mobile=false&commit=Log+In So the username and password can be seen there. I know https would hide that, also the token is needed for anyone to use those credentials later. But, how can this be considered secure? This is not directly related to restful_authentication plugin, common issue with any other forms. Cheers. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
