In a lot of web applications, you need to control who can access your data. Authentication is the key to this type of security. Ruby on Rails has some plugins and gems that make authentication pretty easy. Here are a few:

restful-authentication

authlogic

devise

When putting authentication together, make sure that your authentication schema provides encryption for your passwords and a salt to make it more difficult for hackers to figure out which users are using the same password.

Also make sure that your failed authentication messages read "Your username or password is incorrect." rather than pointing out which specific field is incorrect. This will prevent hackers from mining your usernames and trying to guess their passwords.

Lost password messages should also report success every time. Since you won't be able to decrypt the passwords, you should always give a message like "An email message has been sent to you to reset your password" even if the username or email isn't in your system.

Finally, to avoid problems where people are sniffing networks with tools like firesheep to get usernames, passwords, and session cookies. Make sure that you're encrypting your logins and sessions with SSL. Use the ssl_requirement plugin to take care of this for you.

Here's the video:

And the transcript:

Rails Coach Podcast episode 6.

Hey everybody and welcome back to the Rails Coach Podcast with Charles Max Wood, that’s me. This week we’re going to be talking about authentication. But before we get started I really want to talk about where things have been going with this podcast. It’s kind of been an exploratory mission for me to kind of figure out how I want to talk about Rails. The thing is that I’ve had the Teach me to Code podcast for awhile, and I really didn’t feel like once I moved it from the Rails Coach podcast to the Teach Me to Code Podcast that I could talk as deeply about Rails, and so I wanted to talk about that there.

The problem is that I’ve been talking about things that I feel like are better explained through demonstration as opposed t o actually talking about principles that people should know when they’re programming in Rails. So what I’m going to do is I’m going to kind of change tactics a little bit. So I’m not going to go into as much things like; you should use this tool, you should use that tool. Well, I am, but I’m not going to go into how they’re used, I’m not going to go into what they are. What I’m going to try and do instead is I’m going to talk about general principles around certain things that are relevant to Rails. So, for example, this week I’m going to be talking about authentication, so I’ll probably bring up a few plugins or gems that you can use for authentication and I’ll talk about a few of the principles that define good practices for these different things.

So in this case I'm going to be talking about authentication, and there are things that I see that people generally get right, and there a few things that I see that generally people don’t get right. I see these things, some of these things, done on these huge sites that have thousands and thousands of users and I’m flabbergasted that this is there because it’s so simple to just write a script that takes advantage of some of this stuff. And so I'm just going to jump right in on the authentication stuff.

First off, I just want to talk a bit about the history of authentication with Rails. It all kind of started, as far as I can tell, with the restful-authentication plugin that was written by Rick Olson. This was probably four or five years ago. And restful-authentication took advantage of the RESTful approach that Rails had implemented at the time and proved an authentication scheme where it used the RESTful paths like GET and POST and PUT and DELETE, to manage sessions, and so sessions were the resources that the restful-authentication handled.