I just saw a mention here of LoginEngine, which I hadn't heard of before. Last week when I was digging for user-account sample code for my web-app, I instead found the LoginGenerator and started using that: http://wiki.rubyonrails.com/rails/pages/LoginGenerator Is one of these preferred over the other? From skimming the API docs, it does seem that LoginEngine has more features, like email-based verification, that I've been hacking into LoginGenerator myself. If LoginGenerator is deprecated, or if LoginEngine is seeing more active development, then I should probably switch over before deploying my app. Thanks, --Jens
on 2006-01-17 02:01
on 2006-01-17 02:01
As found in the Book of Rails, Chapter 13, Verse 26-28: "26. In The Beginning there was the LoginGenerator, whom didst spawn many working Rails applications. But the peoples of Railtopia were unsettled after a time. And, lo, LoginGenerator did eventually beget SaltedHashLoginGenerator, which included better salting and localization, and email verification, singing like heralds upon high. 27. And the children of SaltedHashLoginGenerator where fruitful, and partied like it was 1999. Except it was 2005. 28. Then, some weirdo developed Rails engines, and was particularly lazy in the eyes of the Lord, totally ripping off SaltedHashLoginGenerator as an example of his wicked way..." In a nutshell, there's the original LoginGenerator, on which lots of authentication systems are based. One of these is the SaltedHashLoginGenerator, which adds a few features including localization and email verification. I believe Deirdre SM has stepped in to maintain this - she'll know better where it's future lies. The LoginEngine is an *example* of a development technique (http://rails-engines.org) which is heavily based on the SHLG. Feature-wise they are pretty much identical, although email is now optional, and the localization was totally removed. It continues to be developed and refined, and is very much open to public scrutiny and patching. Your choice between using a generator and using an engine (any engine, the LoginEngine isn't the only possible authentication system possible using engines) should be based on how you evaluate the merits of either mechanism for sharing/reusing code. My personal view/propaganda is here: http://rails-engines.org/wiki/pages/Engines+vs.+Generators Whichever you choose, be prepared to get intimate with the code - there's no excuse for not working to understand how this code is going to function within your application! Good luck :) - James
on 2006-01-17 02:19
There's also Bruce Perens ModelSecurity, which is more than just login: http://perens.com/FreeSoftware/ModelSecurity/ which takes the multiple "layers of defense" approach. Haven't tried it yet, but meaning to... <rant>Although, I'm sorely tempted to completely ignore it and even start dissing it simply because of the obnoxious ads on the page (when I just went to verify the url, the ad was for smileys and it includes a loud "heeelllllooo..." over and over!) C'Mon Bruce, save the ads for your home page! </rant> b PS: great (and amusing) summary James...