Remember Me’s with Rails

Brett Wejrowski — Fri, 26 Sep 2008 18:51:13 +0000

I recently had a need for a login system that needed a ‘remember me’ function. After hours of looking through countless blogs, I came to the conclusion that either (1) people don’t use a remember me function with custom authentication systems for Rails, or (2) they don’t talk about it. In this article, I outline a simple remember me system using the cookie variable in Rails that will tack on to most custom authentication systems.

Using the cookie functions in Rails is pretty straightforward. It’s used with the ActionController and is quite simple to use. Most people use sessions for authentication, which is a good idea. Sessions, unlike cookies, automatically save your content as encrypted strings using the browsers cookies. ActionController#cookie provides a method for saving information in the browser, but you need to hash the content yourself if need be.

However, if a user selects the remember me option when logging in, we would like to have the session expiration set to be a longer period, like 30 days. Unfortunately, this is quite difficult to do if you don’t want to change the expiration of ALL sessions.

My site already uses sessions for authentication, and I’m going to leave that be. In fact, I’m not going to change anything about the session variable at all. This way, I can add this remember function to almost any authentication system I use in the future very easily.

When a user is authenticated and has selected the “remember me” option, I do two things:

- create a cookie that stores (plain text) the user’s id (you can use name, email, etc. but I prefer the id because it says nothing about the user to anyone trying to get information)

- create a second cookie with an hashed string of some other information about the user( name, email, address )

if params[:rememberMe]
userId = (@user.id).to_s
cookies[:remember_me_id] = { :value => userId, :expires => 30.days.from_now }
userCode = Digest::SHA1.hexdigest( @user.email )[4,18]
cookies[:remember_me_code] = { :value => userCode, :expires => 30.days.from_now }
end

For the hashing of the second piece of information, use a hash such as SHA1 or MD5. We can use these two cookies to authenticate a user when they return after a session has expired.

if ( cookies[:remember_me] and cookies[:remember_me] and User.find( cookies[:remember_me]) and Digest::SHA1.hexdigest( User.find( cookies[:remember_me] ).email )[4,18] == cookies[:remember_me_code]  )
@u = User.find( cookies[:remember_me_id] )
session['user'] = @u.id
end

Just work that into your :before_filter for your authentication system, and you’re all set. Make sure you delete the variables when someone logs out:

if cookies[:remember_me_id] then cookies.delete :remember_me_id end
if cookies[:remember_me_code] then cookies.delete :remember_me_code end

****Edit: make sure to have “require ‘digest/sha1′” at the top of any page where you are using the SHA1 hash.

Simple login with Rails

Brett Wejrowski — Thu, 11 Sep 2008 15:47:39 +0000

We recently beta launched a new site, motionspire.com. Our main goal for the launch was to get statistics from user testing, mainly from a targeted audience. In order to keep a limited user base, we wanted to make visitors create a beta account, and use a login system in order to view the site.

I wanted to create a quick and simple login system that was, most importantly, temporary. The authentication didn’t require a lot of security because no user information was stored in our db other than an email and password. I also wanted to contain all the code for the system (as much as possible at least) in a few different directories, so I can easily remove the system for the main launch.

Here is the process I wanted to create:

1. user comes to the site, and inputs an email address requesting a beta account
2. the user gets an email with (1) a link to create their password and (2) a code for authentication
3. the user inputs the code and creates their password
4. the user can now view the site, and login at a later time

So that’s the process. My designer created two pages: (1) a page with a form requesting an account and another form to login and (2) a page to create a password with the code. I created a new controller, beta, and started with these two functions:

> ruby script/generate controller beta index create_password

And I created a model, betauser:

> ruby script/generate model betauser

The model had three fields: email, password, and a boolean ‘active’ to keep track of whether the user had activated the account. I usually use the timestamps for every model just as good practice. Here is the migration:

class AddBetaUsers < ActiveRecord::Migration
def self.up
create_table :betausers do |t|
t.boolean :active
t.string :email, :password
t.timestamps
end
end

 def self.down
drop_table :betausers
end
end

Next was the function for requesting a beta account. The form’s only input was their email:

def create_beta_invite
email = params[:email]
beta = Betauser.new
  //set the account to inactive
  beta.active = false
beta.email = email
if beta.save
// create a code based on the users email
// its not the most secure way to do things,
// but its simple and doesnt require another
// field in the database
code = Digest::SHA1.hexdigest(email)[3,12]
 
// create an email with my ActiveMailer model 'Notifier'
  email = Notifier.create_beta(email,code)
email.set_content_type("text/html")
Notifier.deliver(email)
  //redirect to the password creation page
  redirect_to :action => "create_password",
:email => email
[sourcecode language="ruby"] else
redirect_to :action => "index"
end
end

[/sourcecode]

After the user gets their email with their activation code, they go to the create_password page.  I send the email as a param in the link, so the activation page will only work if they use the link in the email (or directly edit the address if they are real crafty). The create password page has 3 inputs: code, password, and passRepeat (to verify the password).  Here is the action for this form:

[sourcecode language="ruby"]def make_account
@beta = Betauser.find_by_email(params[:email])
if !@beta
redirect_to :action => "index"
  //check that password fields match
  elsif params[:password] == params[:passRepeat]

[/sourcecode]

[sourcecode language="ruby"] // check that the code matches our formula from before
  if params[:code] != Digest::SHA1.hexdigest(@beta.email)[3,12]
flash[:alert] = "Incorrect Code!"
redirect_to :action => "create_password",
:email => @beta.email
else
  //save the password
  @beta.password = Digest::SHA1.hexdigest(params[:password])
  //set the account to active
  @beta.active = true
@beta.save
 //use the session cookies to log the user in,
// then redirect to the site
 session['betauser'] = @beta.id
redirect_to :controller => "main",
:action => "index"
end
else
flash[:alert] = "Passwords do not match!"
redirect_to :action => "create_password",
:email => @beta.email
end
end

So now we have a user logged in. But we have to have a ‘gatekeeper’ function to allow logged in users to view the site, and send everyone else to the login page. We will put this in the application.rb controller:[/sourcecode]

[sourcecode language="ruby"] // run the function before every action in our app
 before_filter :check_beta
....
protected
....

[/sourcecode]

def checkbeta
// don't check when user is in the beta pages
// that will cause an infinite redirect loop
if controller_name != 'beta'
// if betauser session variable is there
// and the beta user exists, set a
// global @betauser to represent the user
if (session['betauser'] and Betauser.find(session['betauser']) )
@betauser = Betauser.find(session['betauser'])
// if the account has not been activated,
// send the user to the create password page
if @betauser.active == false
session[:original_uri] = request.request_uri
redirect_to :controller => "beta",
:action => "create_password",
:email => @betauser.email
end
else
// if a user is not logged in,
// store the requested call
// and send the user to the
// account request and login page
session[:original_uri] = request.request_uri
redirect_to :controller => "beta",
:action => "index"
end
end
end

Notice that if the user is logged in and the account is active, there is no redirect, and the user goes to the requested page.

The only thing left is to create a login and logout function in our beta controller:

def login
password = params[:password]
email = params[:email]
user = Betauser.find_by_email(email)
 // make sure the user exists
 if !user
flash[:alert] = "No user with that email address."
redirect_to :action => "index"
 // make sure the account is active
 elsif user.active == 0
flash[:alert] = "You must activate your beta account."
redirect_to :action => "create_password",
:email => user.email
 // verify the password
 elsif Digest::SHA1.hexdigest(password) != user.password
flash[:alert] = "Incorrect Password."
redirect_to :action => "index"
else
 // set the session variable to log the user in
 session['betauser'] = user.id
// send to the original request, if exists
// otherwise, send to the homepage
if session[:original_uri]
redirect_to session[:original_uri]
else
redirect_to :controller => "main",
:action => "index"
end
end
end

def logout
 // set the session variable to nil
// and redirect to the login page
session['betauser'] = nil
redirect_to :controller => "beta",
:action => "index"
end

That’s about it. There are definitely things I could have done better, but I wanted something quick, dirty, and temporary. It works, and is not something I would want to use long term. However, if you have a need for a low-security, simple login, this gets it done. Overall, it only took me about an hour and 15 minutes to code, and will be very simple to remove.

**I will follow up with a very simple removal of the system, and post the files in their entirety at a later time. Check it out at Motionspire.com!

The Wojo Group » authentication

Remember Me’s with Rails

Simple login with Rails