0

I have an initial login screen where we can enter a "username" and "password". I have four views and I am using the "username" and "password" entered in the first login view to establish an SSH connection in the fourth view.

To pass and use the username and password, I'm passing them through a hidden_field_tag in all these views, and when we click on the submit button, these hidden field values are passed to the second view.

All these submits are get requests.

The username and passwords are appearing in the URL as I am passing them as parameters. If I use a post request instead of a get, the page expires when I click on the back button in my browser.

Is there anyway to hide/encrypt those parameters in the URL?

Thanks.

user1455116
  • 2,034
  • 4
  • 24
  • 48

4 Answers4

1

I don't think you're going to be able to hide them as we know GET exposes the params. I'm wondering if you can store them in the session instead? I don't know what you're doing off hand but the logic seems a bit opaque. Maybe you can re-think the logic into more of a common pattern. Good luck!

Adam O'Connor
  • 2,582
  • 2
  • 16
  • 19
  • I'm quite new to rails and web development. There is only a controller and some views. How can i store the username and password entered in the login page in a session and use them later in the fourth view? Thanks – user1455116 Jul 06 '12 at 16:19
0

You really shouldn't be passing the username and password as GET requests. I would recommend instead having another form button to go back in the 4-step process so that the whole process is done by POST whichever direction you are travelling, this would also ensure the user doesn't lose data when going to a previous page.

<%= form.submit 'Previous Step' %>
<%= form.submit 'Next Step' %>

Controller:

if params[:commit] == "Next Step" 
  object.update_attributes(params[:item])
  <..logic..>
end
Matt
  • 13,948
  • 6
  • 44
  • 68
0

You really shouldn't be passing the username and password as a get request. If you don't want the page to expire as a post, I suppose what you could do something which would send the username and password via AJAX post request and the rest with a get request.

Travis Pessetto
  • 3,260
  • 4
  • 27
  • 55
0

What's wrong with the page expiring when you hit the back button? Seems fine to me. You often can't login to something then hit the back button to return to the page - google for example. Use post.

Scott Schulthess
  • 2,853
  • 2
  • 27
  • 35