typically once you are happy that the user is who they claim to be,
you do something like session[:user_id] = @user.id
Then on subsequent approaches you can do User.find(session[:user_id])
to get the logged in user. Often one uses a before_filter to restrict
access to the appropriate pages. There is a plugin
(acts_as_authenticated) that does most of this for you.
Fred