I’m new to web development in general and ruby on rails in specific. I’m working on developing a web interface where i’m using a ‘Get’ and ‘Post’ requests on the same method. When i use a get method and send parameters (like username and password), they are being visible in the url. Hence, below is what i did.

form1.html.erb

<%= form_for :modify, :method => "post", :url => {:action => "method2"} do |f|%>
#code here to input username and password
<%=end%>

in my routes.rb i wrote the following routes to the method2:

post 'controller/method2'
get 'controller/method2'

When i enter username and password and click on submit, it is finding the post 'method2' and executing the code in the controller, and displaying method2.html.erb as there is a get request for the same method and also there is a view for method2.

However, i suspect this is not the right way to do it. I do not want the password to be visible. I came to know that i have two options, store the password in a session or send a post request. I do not want to store in session as it is not safe. When i write a post method the page expires when the user tries to come back. To prevent either of these happening, i used the same action in controller as post and get and now i do not see any parameters visible in the url.

Please let me know if this is not the right way to do