Password showing in production.log

Question

Using Rails 2.3.8.

I have added this in my controller:

  filter_parameter_logging :password, :password_confirmation

But password is still showing in my production and development logs. Please advise.

Processing UserSessionsController#create (for 110.159.52.119 at 2011-03-11 18:25:50) [POST]
  Parameters: {"user_session"=>{"remember_me"=>"0", "password"=>"therealpassword", "login"=>"usernamehere"}, "action"=>"create", "authenticity_token"=>"kx96Yc9sF/dYbRL8UYni2tp+p/yz6CTHw+j/X6bqh/g=", "controller"=>"user_sessions"}
[paperclip] Saving attachments.
Redirected to http://abc.com/account
Completed in 2047ms (DB: 532) | 302 Found [http://abc.com/user_session]
** Erubis 2.6.6

Thanks.

Answer 1

For others' reference: filter_parameter_logging is deprecated in Rails 3.

From the Devise tutorial:

" PREVENT LOGGING OF PASSWORDS We don’t want passwords written to our log file. In Rails 2, we would change the file

app/controllers/application_controller.rb

to include:

filter_parameter_logging :password, :password_confirmation

In Rails 3, this is deprecated and instead we modify the file config/application.rb to include:

config.filter_parameters += [:password, :password_confirmation]

Note that filter_parameters is an array. "