3

With all this talk of Authlogic or Devise, which ones easier to install and useful etc. (Can't decide which one I like more so far.)

I've just been blindly using then and assuming they both have rock-solid security.

So my question is, what is the security like behind these plugins and which offers the best protection to the user? Or they the same?

Is one better than the other, and are there any security issues?

CafeHey
  • 5,699
  • 19
  • 82
  • 145

2 Answers2

4

If using Rails 3, I suggest Devise.

When I moved from rails 2 to 3, I made the switch from Authlogic to devise. Comparing Devise to Authlogic isn't exactly apples to apples, although used without any customization they do offer the same key functionality. Devise itself comes with Warden, another gem for implementing authentication Strategies, one of which could actually be Authlogic. To me, the key difference then is really how the software is architected. Warden is a rack-based implementation, and built using standard web app patterns. Rails 3 is also a rack-based solution, which implies the architectures are more in sync. On top of Warden, Devise provides convenient session query methods and User model integration. Further, Devise has a pretty solid integration with Omniauth, which allows your app to easily use external authentication providers (facebook, twitter, linkedin, etc.).

The question of which provides better security is really moot. In either case you need to make configuration choices which will dictate "how secure" your application is. And there are other considerations beyond password encryption and session management not provided by either (e.g., when to use SSL, what encryption algorithm you use, password and password recovery policies, etc.).

Definitely do read the wiki and make sure you understand all the configuration options and make conscious choices. And never use "assume" in the same sentence as "security".

pduey
  • 3,706
  • 2
  • 23
  • 31
0

I tend to think that it's sometimes better to build things yourself than rely on gem magic. With that in mind, building user authentication and session management can be done in just a few hours (or much less if you = coding ninja). The http://ruby.railstutorial.org/ I thought gave a good step by step process on how to go about it. There are a few things to watch out for though... Anyway just my two cents.

sybohy
  • 1,856
  • 2
  • 20
  • 25
  • 1
    The security problem with whipping up a solution by yourself is that nobody reviews it. If you use a popular library, you know hundreds of people have looked at the code for security holes. – Leopd Apr 27 '12 at 00:25
  • 1
    I think that's a valid point for the encryption side of security where you never want to whip your own encryption. However, for implementing an authentication, I personally like doing it on my own since I gain more long-term flexibility from it. Yes, you are right, you don't have the benefit of code-review (unless you code in team), but it doesn't seem too far fetched that you can test it pretty thoroughly, using adapted test-code from popular libraries if needs be. Regardless, nothing is fully secured. – sybohy May 08 '12 at 03:49