Skip to content
This repository
Browse code

Updated links to authentication plugins.

Removed mention of restful_authentication.
Added devise and authlogic.
Also mention Rails 3.1 built-in logic.
  • Loading branch information...
commit f936996f69ec728b7c0d38cd30084fc74943f9c7 1 parent df5f88c
Joost Baaij authored October 28, 2011
2  railties/guides/source/security.textile
Source Rendered
@@ -474,7 +474,7 @@ h3. User Management
474 474
 
475 475
 -- _Almost every web application has to deal with authorization and authentication. Instead of rolling your own, it is advisable to use common plug-ins. But keep them up-to-date, too. A few additional precautions can make your application even more secure._
476 476
 
477  
-There are some authorization and authentication plug-ins for Rails available. A good one saves only encrypted passwords, not plain-text passwords. The most popular plug-in is +restful_authentication+ which protects from session fixation, too. However, earlier versions allowed you to login without user name and password in certain circumstances.
  477
+There are a number of authentication plug-ins for Rails available. Good ones, such as the popular "devise":https://github.com/plataformatec/devise and "authlogic":https://github.com/binarylogic/authlogic, store only encrypted passwords, not plain-text passwords. In Rails 3.1 you can use the built-in +has_secure_password+ method which has similar features.
478 478
 
479 479
 Every new user gets an activation code to activate his account when he gets an e-mail with a link in it. After activating the account, the activation_code columns will be set to NULL in the database. If someone requested an URL like these, he would be logged in as the first activated user found in the database (and chances are that this is the administrator):
480 480
 

0 notes on commit f936996

Please sign in to comment.
Something went wrong with that request. Please try again.