Authentication from Scratch in Production App?

Question

Is it a good idea to use the Authentication from scratch system from Hart's Ruby on Rail's Tutorial in a production app? Are there security issues with using it? Should an app that's already using it migrate to Devise instead? How would one do that?

Answer 1

In my opinion, using a gem like devise is a better solution than writing authentication from scratch, since you might not even be aware about some security issues that such gems can handle for us, as they are developed by a whole community instead of a single person.

Moreover, I would really prefer not to reinvent the wheel, when I already have an awesome solution available. I have used devise in many production applications, and it does so much more than plain authentication, and that is where it shines :)

However, if you are learning your ways through ruby on rails, I would really recommend you to write the authentication from scratch, but even then, not for a production app, initially.

As it says in devise's documentation :

If you are building your first Rails application, we recommend you to not use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch, today we have two resources:

Michael Hartl's online book: http://railstutorial.org/chapters/modeling-and-viewing-users-two#top Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch

Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :)