digg

Facebook Connect Join Digg About

Basic User Authentication in Rails

aidanf.net "This article walks through creating a basic authentication system in rails."

Who dugg this? Made popular Jun 6, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

31 Comments

show profanity settings
expand all
  • concept10, on 10/12/2007, -0/+11You guys (and gals) really show your age and understanding of the Rails framework in the posts above. First off, Rails is a great framework for developing web apps and Ruby is almost perfect (IMHO) as a true object-oriented language. Don't respect my opinion? Spend some time with Java/Python/Perl/PHP or _insert_ your favorite language/framework and compare the syntax, the expressiveness and power that Ruby handles in one/two lines of code and remains readable! But of course, you are not going to do that.

    You will just post comments about something that you have judged as hype because of the many articles published without actually spending any time digging in the API, reading a book or whatever.

    @timalmond = If you understand the philosophy behind Rails, you would understand about authentication. Rails isn't about scaffolding an app for you. Rails is about abstracting functionality and other good stuff used by most of the people. It's not about attempting to please every developer out there with one _true_ authentication and admin. I absolutely hated working on authentication in my first two applications, but looking back now, I have learned soooo much.

    @CaughtThinking = what have you ever contributed to the OSS world more "important" that Rails? Only a few years away? Do you have a script that carries mindshare for more than one blog post?

    Rails is great, it has given guys such as me a free, powerful tool for creating database backed apps. Django is also great (but I prefer Ruby). Stop hating and contribute.

    BTW, this is a fine article, I saw it this weekend.
  • lukes, on 10/12/2007, -2/+11snipehack could do it in php in no time at all, because snipehack doesn't understand anything about user authentication or security in a web app, password protected browser session, sweet!
  • hoofarted, on 10/12/2007, -3/+13Ok snipehack. Then show me the equivalent thing in MySQL/PHP. If you say "save a couple of hours", I would love to see how you do it. I am not a web developer but I have played with ROR and I refuse to believe that doing this by hand will be faster.
  • jeremymcanally, on 10/12/2007, -1/+8Have you ever even used it?

    ColdFusion sucked; I've been around long enough that I would have heard said "hype" and I must have missed it. I wrote a few articles on CF back in the day (Google for my name; you'll see), but I still fail to see how it even compares to the Rails either in usefulness/usability and amount of support garnered.

    Rails is not the Segway of web development; I'm supposing you meant to imply that it was a useless gadget. Go ahead; I dare you to port your PHP app over to it. I guarantee you'll have 1/2 as much code and 1/4 as much headache. Rails is the new way of web development; it's the Prius of web frameworks if you will. You still get the benefits of running on gas (i.e. HTML output, comfortable scripting language environment) but you also get that extra little oomph that saves you a whole lot of money and hassle (i.e. ActiveRecord, Action Pack, etc.).
  • Kam3k, on 10/12/2007, -0/+6Authentication will never be part of Rails since its beyond the scope of the framework, there are too many different approaches to authentication. Rails is supposed to provide infrastructure, not any prebuilt functionality. Every single Rails app I've written had slightly different authentication requirements. However as the article mentions, there are 3 ready made solutions to choose from if you don't want to write your own, and they're easy to customise.
  • inactive, on 10/12/2007, -2/+7This is a great authentication tutorial, and other than alot of the ignorant posts above, ROR has definately won me over on a lot of future projects.
  • Kam3k, on 10/12/2007, -0/+4There are obviously 2 types of web developer, those that always look to use improve their skills and makes use of the best and most appropriate technologies available, and those that just stick to what they know and are threatened by new approaches such as those offered by Rails, Django and Seaside. The latter type are destined for your 'vat of unimportance'.
  • lartexpert, on 10/12/2007, -0/+3Definitely a digg - the article is making me think about looking into RoR more seriously. I concentrate on Perl & PHP at the moment, and I'm working on rewriting my framework. Maybe I shouldn't - it's starting to look like RoR has most of what I'd want, already written.

    Authentication (that /works/ and is reasonably secure) is only a two-minute job if you've already written the code for it. I've yet to see a decent PHP developer that didn't either use an existing framework/object library, or write their own framework and use that in the same kind of way. Why rewrite the authentication code when you can write it once and make sure it works properly? Frameworks and libraries are a good thing, taking out much of the donkey-work; for instance, how many sites have you developed that /didn't/ need a user auth system? If it's more than one, where is the benefit in writing it more than once? To extend the idea, where is the benefit in writing it yourself if someone else has written code that works?

    I'll probably stick with my framework for the moment though - I think that most dynamic websites have so many similarities that the framework can be extended to include most of the views and controllers, with a relatively generic way to specify the models too. There are always cases when something different is needed, but normally it's all much of a muchness.

    One part of the article did raise some concerns about RoR though: "We make the id and salt attributes protected. This makes sure that users can't set them by sending a post request" - Does anyone else remember why PHP stopped turning register_globals on? Any framework that allows a user to set their own variables by default using a POST request has serious security problems in my opinion.

  • JonGretar, on 10/12/2007, -1/+3And you could do the authentication in half the ruby code shown here. Obviously you didn't read the article. You really should read things before you bash them.
    The biggest part there are the tests. I know testing is something PHP developers have never heard about. Might be the reasonn why most PHP applications tend to be broken.
  • suqur, on 10/12/2007, -0/+2timalmond, here is the one I'm using. It does the job for a basic system.
    http://brainspl.at/articles/2006/02/20/new-plugin-acl_system
  • lukes, on 10/12/2007, -0/+2CaughtThinking: your "arrogant clueless" developer won the o'reilly award for best hacker of 05.

    and what the development community at large still thinks means little to me. on the web you can choose what tools and languages to implement your project in and it makes no difference if the person sitting next to you knows or cares about it. if it runs on the server, then it will work.

    you have so much unneeded hate brewing inside you, have you seen someone about that?
  • jeremymcanally, on 10/12/2007, -0/+2I don't think he actually knows what he's talking about, because when I use POST on Rails, I have to access post variables through the @params hash...maybe he got confused or knows something I don't somehow. Even so, that extra bit of security can't hurt.
  • aidanf, on 10/12/2007, -0/+2jeremy: This applies when you create a new object directly from the params hash or use update_attributes to change it. Here is an example. You can create a new user using something like this in your controller

    @user = User.new(params[:user])

    Your form has entries for username, password, email etc. which get set in the params hash. But a user could create their own form that has values for salt, role or other attributes that you wouldn't want them to update. Using attr_protected (or attr_accessible) prevents these attributes from being updated in this way.
  • jesusphreak, on 10/12/2007, -0/+2jeremy, I believe @params is depreciated. Use params instead.

    Maybe you knew that, though. :)
  • jeremymcanally, on 10/12/2007, -0/+2Look at acts_as_authenticated; it has roles; and this is all it takes:
    script/plugin discover
    script/plugin install acts_as_authenticated
    script/generate authenticated User Account
    before_filter :login_required

    Bam! Controller protected.
  • timalmond, on 10/12/2007, -0/+1jeremy,

    do you know one that does role-based authentication? I'm more after things where users can log in and have different roles within the system.
  • lartexpert, on 10/12/2007, -0/+1So was the author correct or not? Would setting the variable in a POST request change it without the protected modifier?
  • Agret, on 10/12/2007, -2/+3Anyone remember ColdFusion? Is Ruby going to go the same way?
  • bscott86, on 10/12/2007, -3/+4... or if you write lots of dynamic user-driven sites like most web developers who need user authentication, you could just copy and paste your framework in a few seconds.
  • ghoppe, on 10/12/2007, -0/+0Great! Please post a link to your code.

    Don't forget to include the test suite to make sure everything works hunky-dory!
  • MihaiM, on 10/12/2007, -4/+4Isn't Ruby on Rails supposed to be easier to work with?

    I've started to learn it and look interesting. Anyway I suppose you can use a plug-in for authentication to solve this faster. I've found many plugins for Ruby on Rails on the RoR's wiki page.
  • JonGretar, on 10/12/2007, -1/+1Sorry. forgot to add... Can you show me how you make a PHP authentication in 15 line of code like you say you can.
  • lartexpert, on 10/12/2007, -0/+0Ahh, thanks Jeremy. +1: Insightful, or something... ;-)
  • timalmond, on 10/12/2007, -5/+4One of the things that put me off Rails was the lack of a user authentication system.

    If you're going to build something that's a web framework, then it really should be a key component of it. Microsoft learned from ASP.NET 1.1 and put in some really nice components for it in ASP.NET 2.0. Django has one too.

    It doesn't mean that you shouldn't be able to drop it, or to modify it's behaviour (to, for instance, force user password changes or to change the "forgotten password" process).

    I've had to build a full user/role authentication for a new system, and it ended up being a large percentage of the coding.
  • timalmond, on 10/12/2007, -2/+1I'd suggest that authentication is something used by most people, and is, as a rule common enough, or easily configurable based around people's requirements.

    The key thing is that making it common to the framework helps to ensure that it is robust as it reaches a larger user base. Having a bunch of add-ons is less likely to.

    I'm also more of a Python fan, so I'm biased towards Django.
  • CaughtThinking, on 10/12/2007, -3/+1I love how Ruby suddenly invented the "perfect object oriented language" when it's been around for years, and people regarded it as suck. I also love how yet another comment stream proves that the average Joe Rails user (self-proclaimed "genius/super-creative/awesome/loljavalol") is still huffing and puffing because he's simply so far above every other framework.

    Talk about hypocracy! In the same breath "Use the best tool for the job" and "Rails simply is the best tool". You guys are posting clones of DHH, complete with the contradictory and arrogant cluelessness.

    When next year comes and the development community at large *still* doesn't give a crap about Rails, I hope you guys have found a new song to sing. Here's a hint, in the history of GUI programming for desktop, there has never been one framework to rule them all despite the many, many, tries. The same applies to the web, no matter what master David preaches.

    Enjoy Web 2.0!

  • richardiscool, on 10/12/2007, -4/+1This made me laugh - after a lecture from a friend about how RoR was much simpler than PHP - I could do what that does in PHP/MySQL in about half that code!
  • jzimmerman, on 10/12/2007, -4/+1@hoofarted

    http://manual.cakephp.org/chapter/19

    CakePHP Simple User Authentication. CakePHP is a Rails-Like framework for PHP and MySQL.

    That chapter will get you started. The rest is fairly trivial to write when adhering to CakePHP standards and functions.
  • NeilSkoglund, on 10/12/2007, -14/+3got it in one there, ROR seems so long when you can whip something up in php/.net in a few minutes
  • rymac53, on 10/12/2007, -17/+5True. My biggest complaint with ROR right now, nobody does anything for themselves. I don't trust generated code
  • CaughtThinking, on 10/12/2007, -15/+3Ah, the RoR intro tutorials continue, and yet the hype is finally starting to die...
    Only a few more years and it will sink into the vat of unimportance it's destined for.

    And no, I don't hate RoR, I just recognize it's the Segway of web development.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.