RE: Salted Hash Login Generator


#1

Hmmm… I tried it the other night (with rails 1.0) and was under the
impression that although the tests failed (I think it had something to
do
with me using an older version of mysql), everything was working for as
far
as I know.

I could really with some clear docs somewhere though… The wiki page
contains a lot of info, but mostly without any indication of which
versions
of rails and the login generator itself were used, which is a shame.

Piet.


#2

Piet H. wrote:

Hmmm… I tried it the other night (with rails 1.0) and was under the
impression that although the tests failed (I think it had something to do
with me using an older version of mysql), everything was working for as far
as I know.

I could really with some clear docs somewhere though… The wiki page
contains a lot of info, but mostly without any indication of which versions
of rails and the login generator itself were used, which is a shame.

+1 on this… the wiki page is a mess and the Localization wiki page
(which is a required
dependency) is blank! Deirdre Saoirse M., are you out there? Are you
maintaining
SaltedHashLoginGenerator? Anyone know enough about either generator to
fix up the wiki pages?

b

PS: Piet, you might dig into where the tests are failing… I was able
to find solutions
to each of the problems until the tests were passing. Sorry I can’t
remember what my
solutions were… Now my problem is that I used it on a brand new
project and none of the
actions/views seem to work… I probably haven’t generated what I
thought I generated.


#3

Hasn’t all of this been moved into the engines framework? If you are
using rails 1.0 then perhaps you should look into the LoginEngine?

http://rails-engines.org/login_engine

-james


#4

On Jan 26, 2006, at 9:30 AM, Ben M. wrote:

of rails and the login generator itself were used, which is a shame.
able to find solutions to each of the problems until the tests were
passing. Sorry I can’t remember what my solutions were… Now my
problem is that I used it on a brand new project and none of the
actions/views seem to work… I probably haven’t generated what I
thought I generated.


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails

Folks-

I think you will find that you will have a much easier time using

the acts_as_authenticated plugin. It does everything that the salted
has generator does but it is much clearer whats going on, all its
tests pass and it is very very much easier to customize for your app.
The salted hash gen is a bit bloated and IMHO it tries to abstract
things a bit too much and sacrifices readability. PLus it is so
spread out that it makes it hard to hold it all in your head at once
to understand everything thats going on. You will have a much easier
time grokking the acst_as_authenticate generator. It has activation,
mailers and it uses a different salt for every user.

I use this as the basis for most apps i do that need auth these days

because it is much less imposing on your app. You will be much more
able to bend it to what you need then with the salted hash.

Cheers-
-Ezra Z.
Yakima Herald-Republic
WebMaster
http://yakimaherald.com
509-577-7732
removed_email_address@domain.invalid


#5

Ezra Z. wrote:

everything thats going on. You will have a much easier time grokking
the acst_as_authenticate generator. It has activation, mailers and it
uses a different salt for every user.

I use this as the basis for most apps i do that need auth these 

days because it is much less imposing on your app. You will be much
more able to bend it to what you need then with the salted hash.

Will take a look… though on a cursory examination, it appears to
generate the same
stuff: a FooSystem mixin, the User model, a mailer, etc.

And actually, I got SHLG to work… I think. Got it all installed and
got it to generate
everything, but I did it on an empty project so I’m not sure if missing
methods/classes
are my fault or SHLG’s.

b


#6

It’s not quite correct to think that the login engine actually
replaces the generator - they’re originally based on the same code,
but their approaches to integrating with your own application are
quite different (engines are basically an alternative to generators).
The login engine is also under constant development through a
community process, whereas the SHLG doesn’t seem to be at the moment.

That said, some people jus’ don’t like the idea of engines, which is
fair enough.

  • james

#7

Well, I managed to make the Login Engine work, but found a small
glitch when changing forgotten passwords, (there is no User instance
when you access the app to change your password from a link with user
token in a received mail) I posted it to the list some days ago.

James Ho wrote:

Hasn’t all of this been moved into the engines framework? If you are
using rails 1.0 then perhaps you should look into the LoginEngine?

http://rails-engines.org/login_engine


#8

haven’t gotten engines to work yet… sigh…

b


#9

Piet H. wrote:

Does this work with rails 1.0 ? I saw that people said it

It’s the same here, it works, have tested all the functions, but rake
fails …

Regards,
Jeroen


#10

It’s very helpful if reproducible bugs are posted to the Engines Trac
site - it’s much easier for me to keep track of them there and
consequently ensure they are fixed when they are listed there:

https://opensvn.csie.org/traccgi/rails_engines/trac.cgi/

  • james

#11

Yup - I replied to the wrong email there - the response was in reply to
Juan :slight_smile:

  • james

#12

On 1/27/06, James A. removed_email_address@domain.invalid wrote:

It’s very helpful if reproducible bugs are posted to the Engines Trac
site - it’s much easier for me to keep track of them there and
consequently ensure they are fixed when they are listed there:

https://opensvn.csie.org/traccgi/rails_engines/trac.cgi/

  • james

I just added a bugtrac that the change_password method should require
the user enter the current password prior to accepting a new password.

Not doing so is a security issue from my perspective.

i.e What if a user at a public internet terminal forgets to logout?
It is bad enough that someone else could browse the rails site. It is
even worse that they could change the password and get repeated access
to the site.

Greg

Greg F.
The Norcross Group
Forensics for the 21st Century


#13

James, I think Jeroen was talking about SHLG not the login engine…

b