New to Rails 3? Check out the Ruby on Rails 3 Tutorial book and screencast.

A book and screencast series showing you how to develop and deploy industrial-strength Rails apps in a direct, step by step way. The screencast series includes 12 lessons over more than 15 hours! Get the best "over the shoulder" experience of following what a top Rails 3 developer does when building an app today. Click here to learn more.

authlogic: Another Take on Rails Authentication

In Plugins

Locked keyboardThere are certainly plenty of plugins available to handle authentication in Rails, with perhaps the most commonly-used being Restful Authentication. But there's always room for one more, and the latest I've run across is Ben Johnson's authlogic. It takes a fresh approach to the problem space, with one big advantage over many existing solutions: because it's a pure plugin rather than a generator, it doesn't litter your application with a ton of code.

The key to making this approach work is that you need to define a special user session model that inherits from authlogic's internals, rather than from ActiveRecord::Base:

class UserSession < Authlogic::Session::Base

With that in place, you can use the regular Rails generator to spin up a controller for user sessions, and write "natural" code. For instance, logging a user in is just a matter of running @user_session =[:user_session]). Similarly, destroying a UserSession instance logs the current user out.

In addition to the source code, you can explore an Authlogic Setup Tutorial or play with an implemented example online. I haven't used authlogic in a client project yet, but after experimenting with it in some test code, it's definitely on my list for the next time I need to roll out authentication as a feature.

Post to Twitter Tweet This Post

Vaguely Related Posts (Usually)

9 Comment Responses to “authlogic: Another Take on Rails Authentication”

  1. #1
    Mark Holden Says:

    Thanks for posting this, this is really nice. Definitely going to be my choice for authentication in my next app.

  2. #2
    Alistair Holt Says:

    Great. I'll give this a try!

  3. #3
    Vitor Pellegrino Says:

    OMG, i think this is one of the best news of this year.
    I could not stand anymore the intrusive way that Restful Authentication treated this problem.

  4. #4
    Bruno Carvalho Says:

    Certainly a great plugin, way better than the intrusive Restful Authentication.

    Thanks for sharing this...

  5. #5
    Peter Cooper Says:

    I haven't updated the template yet, but note that this post was written by Mike Gunderloy. One of Rails Inside's new writers :)

  6. #6
    reck Says:

    The fact that the User model deals with sessions and cookies concerns me a bit. I'm not a purist, but it breaks the MVC lines enough to give me pause.

  7. #7
    Ben Johnson Says:

    Great post, thanks for promoting this.

    reck, you make some good / obvious points. But where do sweepers lie in the MVC architecture? In my opinion, they blur the lines of the MVC structure a little bit too, but they make expiring caches extremely easy. They are connected to models, who ultimately trigger if caches expire or not. I just took that same idea and applied it to sessions.

    Lastly, the UserSession doesn't have to be labeled as a model. Why not label it as a controller utility? You can extract controller logic out into a class. I recommend putting it in the models directory to emphasize that it can be used like a model, which ultimately fits into the conventional style of RESTful development. But it could just as easily fit in your lib directory. Just something to get people to look at this from a different angle, hopefully this clarifies my perspective on the library.

  8. #8
    Sam Says:

    No offense to Rails core, but RESTful authentication is heavy and intrusive. It just doesn't make any sense. A user's session is an instance of a model, UserSession. Enough said.

  9. #9
    Amol Hatwar (rubygem) Says:

    Goes to say that less is indeed more :).

Leave a Reply