 | This is a user sandbox of Rshah5. A user sandbox is a subpage of the user's user page. It serves as a testing spot and page development space for the user and is not an encyclopedia article. |
Introduction
editAuthLogic and Devise are both Ruby gems that provide the same service, authentication. While they are similar in most cases, their differences make them individual gems.This Wiki Page is a comparative study on these two Ruby gems.
AuthLogic has 65 versions with the latest one being version 3.4.6, released on July 13th, 2015. The first version was released on 3rd November, 2008. The author for AuthLogic is Ben Johnson of Binary Logic[1]. The gem that was popular before AuthLogic was restful_authentication. Unlike restful_authentication, AuthLogic generates only the authentication logic and not the Model-View-Controller pattern thereby resulting in a clean and uncomplicated code that is relatively easier to understand.[2]
Devise has a total of 136 versions between it’s first version in October 21, 2009 and latest one in August 10, 2015. The authors of this gem are José Valim and Carlos Antônio.[3]
| Parameters | Devise | AuthLogic |
|---|---|---|
| Latest Version | 3.5.2 | 3.4.6 |
| Latest Release Date | August 10, 2015 | July 13, 2015 |
| Software License | MIT | MIT |
| Platform | Cross-Platform | Cross-Platform |
| Security Grade[4] | 750 | 750 |
| Full Stack | Yes | No |
| Omni-Auth Support[5] | Yes | Yes |
| Runtime Dependencies | bcrypt ~> 3.0
orm_adapter ~>0.1 railties <5,>=3.2.6 responders >=0 thread_safe ~>0.1 warden ~>1.2.3 |
activerecord >= 3.2
activesupport >= 3.2 request_store ~> 1.0 scrypt < 3.0, >= 1.2 |
| ORM supported | ActiveRecord and Mongoid | ActiveRecord |
| Rails Version | 1.9.3 | 3 |
| Custom Controllers[6] | Yes | Yes |
| Activejob Integration | Yes | Yes |
Syntax and Examples
editrails generate devise <MODEL>
This is used to create the devise functionality to any model named “MODEL”.
> rails generate devise User
before_<ACTION> :authenticate_<MODEL> ! As the command suggests, this is used to authenticate a particular model before an action is performed. If the result of this is false, then the action is not performed.
> before_filter :authenticate_user!
current_user
This method returns the user which is currently logged in the system.
user_signed_in?
This method checks whether the user has signed in or not.
To create a new session.
UserSession.create(:login => "name", :password => "password", :remember_me => true)
To save the session.
session.save
To destroy the session.
session.destroy
Persisting a session (i.e. finding the record) across requests. It keeps the user logged in.
session = UserSession.find
Security
editDevise
editOn 25th November 2010, Plataformatec had released Devise 1.0.9 to fix a vulnerability caused due to session fixation. This attack affected server stores like ActiveRecord and MemCached. But had no effect on cookie based stores which is provided by Rails by default.[9]
On 26th Jan, 2013, Plataformatec fixed a bug which involved the conversion of string so that it does not return incorrect records. Previously, an attacker could shoot a query which could provide unauthorised access.[10]
A similar fixation attack was made on the CSRF token later in August 2013. This vulnerability allowed the attackers to perform cross-site forgery request to the server. The vulnerability was solved by deleting the CSRF token after the authentication has been made.[11]
Currently, the latest version 3.5.2, no vulnerabilities are reported.
AuthLogic
editAuthLogic hasn’t had any such security issue till date. However, the first reported vulnerability was in January, 2013 where AuthLogic was known to trigger SQL Injection in Rails. In the exploitable scenario, two things were required to be known:
1) Whether AuthLogic was being used.
2) Whether the session secret token was known.
However, how exactly the vulnerability worked was not explained resulting in confusion. The solution to overcome this vulnerability was to upgrade to the latest Rails version or to uphold the secrecy of the session token, by ensuring the default one isn’t used for every new session.[12]
External Links
editReferences
edit- ^ a b "authlogic | RubyGems.org | your community gem host". rubygems.org. Retrieved 2015-09-16.
- ^ "#160 Authlogic - RailsCasts". railscasts.com. Retrieved 2015-09-16.
- ^ a b "devise | RubyGems.org | your community gem host". rubygems.org. Retrieved 2015-09-16.
- ^ SECUR1TY. "SECUR1TY: Security search engine and marketplace". secur1ty.com. Retrieved 2015-09-16.
{{cite web}}: CS1 maint: numeric names: authors list (link) - ^ "http://devise.plataformatec.com.br/".
{{cite web}}: External link in|title= - ^ "Bare-bone, stripped-down Devise". Retrieved 2015-09-16.
- ^ "Devise: flexible authentication solution for Rails". Retrieved 2015-09-16.
- ^ "binarylogic/authlogic". GitHub. Retrieved 2015-09-16.
- ^ "Session fixation vulnerability in Devise". Retrieved 2015-09-16.
- ^ "Security announcement: Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 released". Retrieved 2015-09-16.
- ^ "CSRF Token Fixation Attack in Devise".
- ^ "Rails SQL injection vulnerability: hold your horses, here are the facts". Phusion Blog. Retrieved 2015-09-16.