Rails 3 user authentication with heroku

Question

Rolling my first heroku app and am currently working on user authentication. (As well as authentication... for example user 1 cant access user 3's stuff).

Is it easier just to roll my own scaffolded authentication? Or use something like devise? I can do the standard salted password authentication, store the user id in the session, and then pull from the database in controllers but is that secure? Would devise be better in the long run?

Thanks for the advice :)

Answer 1

If you want to take on the challenge (which isn't really that big), I strongly suggest that you roll your own system. Having previously used both Authlogic and Devise I've come to the conclusion, that building your own has more advantages in the long run:

• You thoroughly understand how the system works (which is quite important when it comes to authentication, I believe)
• Devise and Authlogic is build with a specific use case in mind, and although they can be modified, my experience is that it's a pain. At some point, you will probably feel limited by both systems.
• You know where to start and what to do, if you want to add features to the system

If you decide to roll your own, Ryan Bates has created an excellent screen cast on just that. Also, don't forget to test it!

Answer 2

Devise is highly recommended, I think it would save much of your time and it currently do all the magic you need involving the session with a good security.

Answer 3

Go with Devise unless you have a solid understanding of how to make a decent authentication system, AND you have a good reason to not use Devise.

And if you do roll your own, make sure you use bcrypt.