Authlogic and Restful Authentication - Security Issues

Greetings. I need to know an expert's opinion on Authlogic and Restful
Authentication as to security.
I have used both and I personally like Authlogic precisely because it
is more flexible.

As to security I am not aware of any risk as long as the authlogic
examples are followed. However I need to know why certain developers
feel that using Authlogic imposes security risks.

It's like some manager tells you "your application is not secure
because you are using authlogic" without clearly explaining why.

If there's no explanation on that opinions, then you cannot take them seriously.
Security depends on the developer, and several times on the user
himself. How you cover your back it's up to you regardless the
plugin/gem you're using, these are only tools that make the work a bit
easier for you.
When somebody tell you that your application is insecure for using
some plugin, make him/her explain why and see if you have that
covered, otherwise, nevermind it, if they can't explain why, then
that's not even an advice.

Cheers.

Thanks for your response.
Security issue is something rather objective. I am still investigating
why they say so (before I even ask or throw them that question).

Katherine wrote:
[...]

As to security I am not aware of any risk as long as the authlogic
examples are followed. However I need to know why certain developers
feel that using Authlogic imposes security risks.

I've never heard this.

It's like some manager tells you "your application is not secure
because you are using authlogic" without clearly explaining why.

Well, *make* them explain! They can't just tell you the sky is green
without taking you to the window and showing you, now can they?

Best,

I am aware of some authlogic issue with Passenger (destoying sessions
often yield an error).
But I think it can be fixed easily as long as your production server
is a VPS.
I told them I'm going to throw an in-depth review of your review and
got an unusual response.
I think this is the case wherein developers have gotten used to
Restful authentication that anything else out there (like Authlogic,
Clearance and others) are not acceptable.

Just out of curiosity, by "certain developers" are you referring only
to developers that you work with? Is "some manager," your manager?
Because if that's the case, they should be able (and I'd say have a
duty) to explain. Do you have any examples otherwise?

For what its worth, your question is the top Google search result from
a query about fixing authlogic session problems with a VPS.

-eric

There was a problem with reset_session in production mode from rails
2.3.1. Reported as resolved with discussion as recent as 3Nov.