3.10. Summary

Managing user authentication is a critical security task for many web applications. In Rails, a user is basically managed like its other resources. The user's password should be stored in the database in an encrypted state, and the encryption should be augmented with a random salt. Rails validations can be used to verify the confirmation of the password in the form.

Form builders can be used to automate the repetitive aspects of maintaining a common form layout across your application. The login and logout actions can be managed as part of a separate RESTful controller or as part of the user's controller.

After the user authentication is built in, some simple helper methods enable you to specify blocks of code as accessible only by users who have logged in. You can also use the simple_access_control plugin to define more specialized access control. A token system can be used to support authorization via email.

CAPTCHA is a test designed to prevent automated responses from messing up the system. A traditional image can be used, or you can create a system based on any kind of logic problem that might be difficult for a computer system to parse. The same token system can help support the CAPTCHA security.

Cookies are used to provide authentication that persists beyond a single user session. However, you must be careful not to introduce security issues with this method of access