Hack hack hack...

An open journal-- some of it written for you, but most of it is for me.

FIS Day28

Authentication

  • http is stateless
  • we pass along with the request is our cookie

    • the cookie lives on the client, which means we can’t trust it
  • cookie has a lot of raw data

    • you don’t really want to put data on the client
    • except the token: which is just a primary key for their session on my server
  • session id in the cookie identifies the session

  • cookies on the browser/sessions are on the server

    • the cookie is used to access the session
  • Form_for requires an ActiveRecord instance -> it needs a model

    • form_tag(sessions_path)
Session Controller
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
skip_before_filter :login_required, :only => :new, :create
#this is needed you will need to login before you login. #Need to do this in the user controller as well.

def create
  user = User.find_by_email(params[:email])

  if user
    session[:user_id] = @user.id
  else
    flash[:notice] => 'login failed'
    redirect :new
  end
end

def destroy
  session[:user_id] = nil
  reset_session
end
Application Controller
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
class Application Controller
  def login_required
    unless current_user
      redirect_url login_path, :notice => "please login"
  end

  def current_user
    @current_user ||= User.find_by_id(session[:user_id])
  end
  helper_method :current_user

  def logged_in?
    true if current_user
  end
  helper_method :logged_in?

end
  • In user model: has_secure_password

    • bcrypt
    • password confirmation is optional with has_secure_password
    • if a hacker gains access to your logs and you don’t have the password field filtered, they can see all the passwords
  • hashing passwords

Order.update(12, :name => "Barney", :email => "barney@bedrock.com")

  • is equivalent to

Order.find(12).update_attributes(:name => "Barney", :email => "barney@bedrock.com")

MISC

Comments