Forum: Ruby on Rails RE: Salted Hash Login Generator

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
364025223fa593e2e76111b31d76f406?d=identicon&s=25 Piet Hadermann (piet)
on 2006-01-26 14:28
(Received via mailing list)
Hmmm... I tried it the other night (with rails 1.0) and was under the
impression that although the tests failed (I *think* it had something to
do
with me using an older version of mysql), everything was working for as
far
as I know.

I could really with some clear docs somewhere though... The wiki page
contains a lot of info, but mostly without any indication of which
versions
of rails and the login generator itself were used, which is a shame.

Piet.
4005a47a8f2ceee49670b920593c1d52?d=identicon&s=25 Ben Munat (Guest)
on 2006-01-26 18:31
(Received via mailing list)
Piet Hadermann wrote:
> Hmmm... I tried it the other night (with rails 1.0) and was under the
> impression that although the tests failed (I *think* it had something to do
> with me using an older version of mysql), everything was working for as far
> as I know.
>
> I could really with some clear docs somewhere though... The wiki page
> contains a lot of info, but mostly without any indication of which versions
> of rails and the login generator itself were used, which is a shame.

+1 on this... the wiki page is a mess and the Localization wiki page
(which is a required
dependency) is blank! Deirdre Saoirse Moen, are you out there? Are you
maintaining
SaltedHashLoginGenerator? Anyone know enough about either generator to
fix up the wiki pages?

b

PS: Piet, you might dig into where the tests are failing... I was able
to find solutions
to each of the problems until the tests were passing. Sorry I can't
remember what my
solutions were... Now my problem is that I used it on a brand new
project and none of the
actions/views seem to work... I probably haven't generated what I
thought I generated.
28978f134cf63158fc5fc3f7e03b6768?d=identicon&s=25 James Ho (Guest)
on 2006-01-26 19:04
(Received via mailing list)
Hasn't all of this been moved into the engines framework? If you are
using rails 1.0 then perhaps you should look into the LoginEngine?

http://rails-engines.org/login_engine

-james
132a94ca65959bda6c74fae54bff2425?d=identicon&s=25 Ezra Zygmuntowicz (Guest)
on 2006-01-26 20:34
(Received via mailing list)
On Jan 26, 2006, at 9:30 AM, Ben Munat wrote:

>> of rails and the login generator itself were used, which is a shame.
> able to find solutions to each of the problems until the tests were
> passing. Sorry I can't remember what my solutions were... Now my
> problem is that I used it on a brand new project and none of the
> actions/views seem to work... I probably haven't generated what I
> thought I generated.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


Folks-

	I think you will find that you will have a much easier time using
the acts_as_authenticated plugin. It does everything that the salted
has generator does but it is much clearer whats going on, all its
tests pass and it is very very much easier to customize for your app.
The salted hash gen is a bit bloated and IMHO it tries to abstract
things a bit too much and sacrifices readability. PLus it is so
spread out that it makes it hard to hold it all in your head at  once
to understand everything thats going on. You will have a much easier
time grokking the acst_as_authenticate  generator. It has activation,
mailers and it uses a different salt for every user.

	I use this as the basis for most apps i do that need auth these days
because it is much less imposing on your app. You will be much more
able to bend it to what you need then with the salted hash.

Cheers-
-Ezra Zygmuntowicz
Yakima Herald-Republic
WebMaster
http://yakimaherald.com
509-577-7732
ezra@yakima-herald.com
05d703f649ef1d07e78d7b479fb4c4ac?d=identicon&s=25 James Adam (Guest)
on 2006-01-27 01:00
(Received via mailing list)
It's not quite correct to think that the login engine actually
replaces the generator - they're originally based on the same code,
but their approaches to integrating with your own application are
quite different (engines are basically an alternative to generators).
The login engine is also under constant development through a
community process, whereas the SHLG doesn't seem to be at the moment.

That said, some people jus' don't like the idea of engines, which is
fair enough.

- james
4005a47a8f2ceee49670b920593c1d52?d=identicon&s=25 Ben Munat (Guest)
on 2006-01-27 07:17
(Received via mailing list)
Ezra Zygmuntowicz wrote:
> everything thats going on. You will have a much easier  time grokking
> the acst_as_authenticate  generator. It has activation,  mailers and it
> uses a different salt for every user.
>
>     I use this as the basis for most apps i do that need auth these
> days  because it is much less imposing on your app. You will be much
> more  able to bend it to what you need then with the salted hash.
>
Will take a look... though on a cursory examination, it appears to
generate the same
stuff: a FooSystem mixin, the User model, a mailer, etc.

And actually, I got SHLG to work... I think. Got it all installed and
got it to generate
everything, but I did it on an empty project so I'm not sure if missing
methods/classes
are my fault or SHLG's.

b
4005a47a8f2ceee49670b920593c1d52?d=identicon&s=25 Ben Munat (Guest)
on 2006-01-27 07:20
(Received via mailing list)
haven't gotten engines to work yet... sigh....

b
642a55efaf21673ee542bc17e64c8ed1?d=identicon&s=25 Juan Lupión (Guest)
on 2006-01-27 09:06
(Received via mailing list)
Well, I managed to make the Login Engine work, but found a small
glitch when changing forgotten passwords, (there is no User instance
when you access the app to change your password from a link with user
token in a received mail) I  posted it to the list some days ago.

> James Ho wrote:
> > Hasn't all of this been moved into the engines framework? If you are
> > using rails 1.0 then perhaps you should look into the LoginEngine?
> >
> > http://rails-engines.org/login_engine

--
5f79cc51f2e2e7b2bb982134e9c649e0?d=identicon&s=25 Jeroen van Doorn (Guest)
on 2006-01-27 14:04
(Received via mailing list)
Piet Hadermann wrote:
>
>>> Does this work with rails 1.0 ?  I saw that people said it
>
>
>
It's the same here, it works, have tested all the functions, but rake
fails ...

Regards,
Jeroen
05d703f649ef1d07e78d7b479fb4c4ac?d=identicon&s=25 James Adam (Guest)
on 2006-01-27 15:20
(Received via mailing list)
It's very helpful if reproducible bugs are posted to the Engines Trac
site - it's much easier for me to keep track of them there and
consequently ensure they are fixed when they are listed there:

https://opensvn.csie.org/traccgi/rails_engines/trac.cgi/

- james
4005a47a8f2ceee49670b920593c1d52?d=identicon&s=25 Ben Munat (Guest)
on 2006-01-27 17:48
(Received via mailing list)
James, I think Jeroen was talking about SHLG not the login engine...

b
05d703f649ef1d07e78d7b479fb4c4ac?d=identicon&s=25 James Adam (Guest)
on 2006-01-27 18:00
(Received via mailing list)
Yup - I replied to the wrong email there - the response was in reply to
Juan :)

- james
25bbc96d9c53647354cb724e744b2222?d=identicon&s=25 Greg Freemyer (Guest)
on 2006-01-28 00:24
(Received via mailing list)
On 1/27/06, James Adam <james.adam@gmail.com> wrote:
> It's very helpful if reproducible bugs are posted to the Engines Trac
> site - it's much easier for me to keep track of them there and
> consequently ensure they are fixed when they are listed there:
>
> https://opensvn.csie.org/traccgi/rails_engines/trac.cgi/
>
> - james
>

I just added a bugtrac that the change_password method should require
the user enter the current password prior to accepting a new password.

Not doing so is a security issue from my perspective.

i.e What if a user at a public internet terminal forgets to logout?
It is bad enough that someone else could browse the rails site.  It is
even worse that they could change the password and get repeated access
to the site.

Greg
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
This topic is locked and can not be replied to.