CODEWITHSUNDEEP
ruby-on-railsrubyruby-on-rails-3ruby-on-rails-3.1ruby-on-rails-3.2
Edward
Edward

Reputation: 141

Rails Authentication with has_secure_password

How would I create sessions with rails 3 has_secure_password? I've checked out http://guides.rubyonrails.org/security.html.

And none of it is really specific. do I have to use sessions method? What is the community standard? I do not want to use Devise/Cancan. I only need simple authorization/authentication based on cookies.

Should I be storing User objects in cookies?
Would the password be vulnerable?

Upvotes: 2

Views: 4519

Answers (2)

memoht
memoht

Reputation: 781

If you have the money to spend, Railscasts Pro covers this in detail using has_secure_password in Episode 250 Revised, Authentication from Scratch (revised)

There is also a slightly older version of the screencast that is Free and includes a detailed ASCIIcast. The sessions portion might be useful for you to read or watch.

Upvotes: 1

Edward
Edward

Reputation: 1914

Check out this tutorial by Michael Hartl on Chapter 8. He did a good job explaining the implementation of using has_secured

http://ruby.railstutorial.org/ruby-on-rails-tutorial-book

basically you will need a password field AND a password_confirmation field AND a password_digest field in your user model. by calling has_secure_password in your model, whenever password confirmation is valid, a password_digest will be generated. You can log in users in your sessions controller by checking:

if user and user.authenticate(password)
  // sign_in_user
else
  // return error message
end

A remember_token will also be needed in your model field for identifying users in cookies. You can return the remember_token on authentication and set it to the session function in rails, example:

user = User.find_by_email(email)
session[:remember_token] = user.remember_token

Upvotes: 3

Related Questions