Topic: Password protecting pages simply


I'm now on level 7 of Hartl's rails tutorial book and I'm starting to think about my application in deployment. It's an app that allows about 12 social workers to communicate collaboratively and privately. Thus, I need to password protect it.

However, it also needs to be easy to use, very easy to use. A few of these people haven't used a computer before, and having logging on and sign-up processes would put them off completely.

Thus I want to create a landing page, where they have to type a password in (the same password for everybody), then it redirects to the 'discussion pages.' My first idea was to use some obfuscated javascript such that upon typing in the password, it redirects them to the discussion pages, but this doesn't sound very secure.

Can anyone recommend me a better way to do this in rails? Ideally they would only have to type it in once, and then it would authenticate them for all the pages automatically (by setting a cookie?) and anyone trying to access a page directly would be redirected to the authentication page.

Hope you can help.,


Re: Password protecting pages simply

1) The session object is your friend. It's actually a dynamic hash of key value pairs. It's used to fake state and handles coockies for you, you should perhaps consider setting the cookie store to use the database - there are automatic generators to handle this for you.

2) Controller filters and abstract controllers are your friend.
Create a base controller for all controllers that need to be secured and a base controller for all public pages and an admin base controller for you
Use a before filter in the application controller to call an authorise method that doesn't exist and definethe authorise method in each of the base controllers as necessary with just an empty method in the base public folder
Then change your existing controllers to descend from one of your base controllers accordingly.
This approach has the added benefit of giving you an immediate and obvious error if you forget to assign the controller to the orrect base controller.
Dead simple to do

3) Models are also your friend
Set up a model that does the authentication for you. have an authorisation filter

Lastly if you need to track which user does what (essential in a corporate environment) then they will have to log in! Typing a name in as well as a password shouldn't be too great a leap for any user. Or give everyone their own unique password and don;t bother with the name.

Some of the above concepts can be found in the railscast authentication from scratch here … om-scratch
That should give you enough detail to get started with and if you have any difficulties with implementation then post back here and I'll keep an eye on the thread

What you want and what you need are too often not the same thing!
When your head is hurting from trying to solve a problem, stop standing on it. When you are the right way up you will see the problem differently and you just might find the solution.
(Quote by me 15th July 2009)

Re: Password protecting pages simply

Thanks so much, I'll keep you updated!