Topic: SOLVED How to use has_secure_password in my refactoring?

I am trying to refactor the authorization mechanism.

My version of rails is 3.2.0 and I am using ruby 1.9.3-p0 and postrgresql 9.1.

So far, my tests are passing when it comes to a failed attempt to sigin but the successfull sign in fails.(The reason is that I have to refactor the old signin mechanism)

Here is my session helpers sign_in function:

    def sign_in(employee)
      cookies.permanent.signed[:remember_token] = [, employee.salt]
      self.current_employee = employee

One problem I see immediately with the sign_in function is that has_secure_password already takes care of the encryption and salt etc ... my thinking was that maybe I should use password_digest instead of employee.salt, but that failed as well.

I would like to have my cookies expire after two hours. I found this option at under cookies.

      cookies[:key] = {
                  value => ", employee.salt",
                  expires =>

Another question I have has to do with the fact that has_secure_password already has an authenticate method so that means that I do not have to use the authenticate definition defined in the employee model,(user model) in the rails tutorial, but when I comment it out I get a flag reading:

     NoMethodError: undefined method 'authenticate'

Here is my session controllers create action:

     def create
       employee = Employee.authenticate(params[:session][:email],
       if employee.nil?
[:error] = "Invalid email/password combination."
          @title = "Sign in"
          render 'new'
          sign_in employee
          redirect_back_or employee

It seems the Employee.authenticate is a problem.

So I essentially have three question and they are as follows:

In the rails tutorial we go through a fairly lengthly process of encrypting and applying salt etc to the employees password. Since has_secure_password has this already taken care of, what variable would I pass to my functions or arguments that would capture the encrypted password?

The next question has to do with the expiration of the cookie, and how I would use that in the sign_in function?

Lastly, how do I use the authenticate method so that rails recognizes it as a genuine method?

Just for the record, I have searched through railsguide, and other questions asked on SO that are similar to this one. Of course this merely points up my lack of understanding of the principles, but I am learning and do take direction well.

Thanks for any thoughts, suggestions and or resources you might share with me.

I found this site that deals with session expiration: … rails.html
I am still working to see if I can make it work for me, but notice that it is tailored for the ruby on rails tutorial.

Also, Michael Hartl is busy pusing out his 2nd edition of the Ruby on Rails Tutorial and in that edition he will be dealing with has_secure_password.

Last edited by fuzzytom (2012-03-23 16:15:12)