In a lot of web applications, you need to control who can access your data. Authentication is the key to this type of security. Ruby on Rails has some plugins and gems that make authentication pretty easy. Here are a few: restful-authentication authlogic devise When putting authentication together, make sure that your authentication schema provides encryption for your passwords and a salt to make it more difficult for hackers to figure out which users are using the same password. Also make sure that your failed authentication messages read “Your username or password is incorrect.” rather than pointing out which specific field is incorrect. This will prevent hackers from mining your usernames and trying to guess their passwords. Lost password messages should also report success every time. Since you won’t be able to decrypt the passwords, you should always give a message like “An email message has been sent to you to reset your password” even if the username or email isn’t in your system. Finally, to avoid problems where people are sniffing networks with tools like firesheep to get usernames, passwords, and session cookies. Make sure that you’re encrypting your logins and sessions with SSL. Use the ssl_requirement plugin to take care of this for you.
