Greetings. I need to know an expert''s opinion on Authlogic and Restful Authentication as to security. I have used both and I personally like Authlogic precisely because it is more flexible. As to security I am not aware of any risk as long as the authlogic examples are followed. However I need to know why certain developers feel that using Authlogic imposes security risks. It''s like some manager tells you "your application is not secure because you are using authlogic" without clearly explaining why.
Leonardo Mateo
2009-Nov-11 08:19 UTC
Re: Authlogic and Restful Authentication - Security Issues
On Wed, Nov 11, 2009 at 4:25 AM, Katherine <bridgeutopia-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Greetings. I need to know an expert''s opinion on Authlogic and Restful > Authentication as to security. > I have used both and I personally like Authlogic precisely because it > is more flexible. > > As to security I am not aware of any risk as long as the authlogic > examples are followed. However I need to know why certain developers > feel that using Authlogic imposes security risks. > > It''s like some manager tells you "your application is not secure > because you are using authlogic" without clearly explaining why.If there''s no explanation on that opinions, then you cannot take them seriously. Security depends on the developer, and several times on the user himself. How you cover your back it''s up to you regardless the plugin/gem you''re using, these are only tools that make the work a bit easier for you. When somebody tell you that your application is insecure for using some plugin, make him/her explain why and see if you have that covered, otherwise, nevermind it, if they can''t explain why, then that''s not even an advice. Cheers. -- Leonardo Mateo. There''s no place like ~
Katherine
2009-Nov-11 09:31 UTC
Re: Authlogic and Restful Authentication - Security Issues
Thanks for your response. Security issue is something rather objective. I am still investigating why they say so (before I even ask or throw them that question).> If there''s no explanation on that opinions, then you cannot take them seriously. > Security depends on the developer, and several times on the user > himself. How you cover your back it''s up to you regardless the > plugin/gem you''re using, these are only tools that make the work a bit > easier for you. > When somebody tell you that your application is insecure for using > some plugin, make him/her explain why and see if you have that > covered, otherwise, nevermind it, if they can''t explain why, then > that''s not even an advice. > > Cheers. > > -- > Leonardo Mateo. > There''s no place like ~
Marnen Laibow-Koser
2009-Nov-11 14:36 UTC
Re: Authlogic and Restful Authentication - Security Issues
Katherine wrote: [...]> > As to security I am not aware of any risk as long as the authlogic > examples are followed. However I need to know why certain developers > feel that using Authlogic imposes security risks.I''ve never heard this.> > It''s like some manager tells you "your application is not secure > because you are using authlogic" without clearly explaining why.Well, *make* them explain! They can''t just tell you the sky is green without taking you to the window and showing you, now can they? Best, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.
Katherine
2009-Nov-16 00:33 UTC
Re: Authlogic and Restful Authentication - Security Issues
I am aware of some authlogic issue with Passenger (destoying sessions often yield an error). But I think it can be fixed easily as long as your production server is a VPS. I told them I''m going to throw an in-depth review of your review and got an unusual response. I think this is the case wherein developers have gotten used to Restful authentication that anything else out there (like Authlogic, Clearance and others) are not acceptable. On Nov 11, 10:36 pm, Marnen Laibow-Koser <rails-mailing-l...@andreas- s.net> wrote:> Katherine wrote: > > [...] > > > As to security I am not aware of any risk as long as the authlogic > > examples are followed. However I need to know why certain developers > > feel that using Authlogic imposes security risks. > > I''ve never heard this. > > > > > It''s like some manager tells you "your application is not secure > > because you are using authlogic" without clearly explaining why. > > Well, *make* them explain! They can''t just tell you the sky is green > without taking you to the window and showing you, now can they? > > Best, > -- > Marnen Laibow-Koserhttp://www.marnen.org > mar...-sbuyVjPbboAdnm+yROfE0A@public.gmane.org > -- > Posted viahttp://www.ruby-forum.com/.
Just out of curiosity, by "certain developers" are you referring only to developers that you work with? Is "some manager," your manager? Because if that''s the case, they should be able (and I''d say have a duty) to explain. Do you have any examples otherwise? For what its worth, your question is the top Google search result from a query about fixing authlogic session problems with a VPS. -eric On Nov 10, 7:25 pm, Katherine <bridgeuto...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Greetings. I need to know an expert''s opinion on Authlogic and Restful > Authentication as to security. > I have used both and I personally like Authlogic precisely because it > is more flexible. > > As to security I am not aware of any risk as long as the authlogic > examples are followed. However I need to know why certain developers > feel that using Authlogic imposes security risks. > > It''s like some manager tells you "your application is not secure > because you are using authlogic" without clearly explaining why.
There was a problem with reset_session in production mode from rails 2.3.1. Reported as resolved with discussion as recent as 3Nov. On Nov 15, 9:56 pm, Eric <ericgh...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Just out of curiosity, by "certain developers" are you referring only > to developers that you work with? Is "some manager," your manager? > Because if that''s the case, they should be able (and I''d say have a > duty) to explain. Do you have any examples otherwise? > > For what its worth, your question is the top Google search result from > a query about fixing authlogic session problems with a VPS. > > -eric > > On Nov 10, 7:25 pm, Katherine <bridgeuto...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > Greetings. I need to know an expert''s opinion on Authlogic and Restful > > Authentication as to security. > > I have used both and I personally like Authlogic precisely because it > > is more flexible. > > > As to security I am not aware of any risk as long as the authlogic > > examples are followed. However I need to know why certain developers > > feel that using Authlogic imposes security risks. > > > It''s like some manager tells you "your application is not secure > > because you are using authlogic" without clearly explaining why.