Chapter 14. Users and Authentication

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

Bruce Schneier

While sessions expand your application-building possibilities, almost any interactive application that will be around for a while needs to be able to keep track of users. You might be a little surprised to hear that Rails itself doesn’t include any mechanisms for tracking users, unlike many web frameworks. That isn’t so much a failure as an opportunity for developers to create their own authentication approaches. There are many gems available for Rails that make authentication a snap to implement. However, writing code for your own authentication is not terribly difficult, so that is how we will approach authentication in this chapter. The code we will be using is based on an updated version of Ryan Bates’s “Authentication from Scratch” Railscast. This screencast was written for Rails 3, but watching it will give you a good sense of what the code is doing. Writing your own authentication gives you much more control over your code, and if you do use a gem you may find yourself quickly overwriting or rewriting many parts of the code provided by the gem.


Two of the most popular gems for authentication are Devise and OmniAuth. While Devise is by far the most popular authentication gem in the Rails community, OmniAuth has the advantage of providing libraries for third-party ...

Get Learning Rails 5 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.