What is the security like behind Authlogic and/or Devise in Rails?_问答_开发者

What is the security like behind Authlogic and/or Devise in Rails?

开发者 https://www.devze.com 2023-03-16 03:26 出处：网络

With all this talk of Authlogic or Devise, which ones easier to install and useful etc. (Can\'t decide which one I like more so far.)

With all this talk of Authlogic or Devise, which ones easier to install and useful etc. (Can't decide which one I like more so far.)

I've just been blindly using th开发者_如何学Cen and assuming they both have rock-solid security.

So my question is, what is the security like behind these plugins and which offers the best protection to the user? Or they the same?

Is one better than the other, and are there any security issues?

If using Rails 3, I suggest Devise.

When I moved from rails 2 to 3, I made the switch from Authlogic to devise. Comparing Devise to Authlogic isn't exactly apples to apples, although used without any customization they do offer the same key functionality. Devise itself comes with Warden, another gem for implementing authentication Strategies, one of which could actually be Authlogic. To me, the key difference then is really how the software is architected. Warden is a rack-based implementation, and built using standard web app patterns. Rails 3 is also a rack-based solution, which implies the architectures are more in sync. On top of Warden, Devise provides convenient session query methods and User model integration. Further, Devise has a pretty solid integration with Omniauth, which allows your app to easily use external authentication providers (facebook, twitter, linkedin, etc.).

The question of which provides better security is really moot. In either case you need to make configuration choices which will dictate "how secure" your application is. And there are other considerations beyond password encryption and session management not provided by either (e.g., when to use SSL, what encryption algorithm you use, password and password recovery policies, etc.).

Definitely do read the wiki and make sure you understand all the configuration options and make conscious choices. And never use "assume" in the same sentence as "security".

I tend to think that it's sometimes better to build things yourself than rely on gem magic. With that in mind, building user authentication and session management can be done in just a few hours (or much less if you = coding ninja). The http://ruby.railstutorial.org/ I thought gave a good step by step process on how to go about it. There are a few things to watch out for though... Anyway just my two cents.