Search code examples
ruby-on-railsauthenticationbefore-filter

should I limit attempts to login rails?

I'm thinking about building a login system for Ruby on Rails, much like this one

http://visionmasterdesigns.com/tutorial-create-a-login-system-in-ruby-on-rails/

In terms of security, should I limit the attempts a user can have to login if they get their username wrong?

Also,The basic steps of logins seem to be:

  • authenticating username and password against those in database
  • if authentic username and password, create a session variable
  • before filter so that pages require login are protected.

Is there anything else I should consider?

Solution

  • Yes limiting the number of login attempts per ip (not per session) increases security.

    Do you know there is already several authentication systems with Rails ? There's no need to reinvent the wheel.
    Here's is a non exhaustive list.

    If you do not wish to use any, you can take example on what they're doing.

    Edit 2013
    The libraries provided above aren't up to date anymore, and I couldn't recommand using them in a new application. Take a look at devise.