Hi,
I want to authentication for sign in and sign out, i add gem file and create a user model using devise in rails3, i want to create a user for first sign in and sign out, how can i create, any suggestion.
Create a new User object, then fill in the fields, and call save.
I use email for login , so I do this in the console/database seed file : User.create(email: ‘test@test.com’, password: ‘password123’, password_confirmation: ‘password123’)
Then I log in with the “test@test.com” and “password123”
Emil S. wrote in post #1116233:
I use email for login , so I do this in the console/database seed file : User.create(email: 'test@test.com', password: 'password123', password_confirmation: 'password123') Then I log in with the "test@test.com" and "password123"
Personally speaking, I generally dislike the practice of using email addresses as usernames. Yes, it has a certain convenience. Convenience will always be in contention with security.
There are a number of reasons for this:
1. If the site gets hacked there is no way to protect email addresses from exposure. If email addresses are kept separate from the user account information then it is at least possible to protect them from a hack against the user login info.
2. If a user changes their email address (or otherwise loses control of their email account) they have no way to verify themselves in case they need to reset their password.
Amen! In addition to the reasons you list, people often have multiple addresses at once -- I myself have several, not even including the hundreds of special-purpose ones I make up on the fly at my domains. Then, logging into a system you haven't been on in years, do they really expect you to remember *which* address you used back then *for that site*? Meanwhile, I use the same username almost everywhere; just about the only exceptions are a few places where that's too long, or it has to have both letters and digits. (Yes I mean the username, not the password!)
-Dave
Devise has a wonderful kickstarter, just take a look into the readme and follow the steps.
The user actually “uses” the email ID and can remember it . I can never remember my “usernames” , usually. Also “forgot password” becomes easy with email ID’s . But then again, to each, his own.
Emil S. wrote in post #1116325:
The user actually "uses" the email ID and can remember it . I can never remember my "usernames" , usually. Also "forgot password" becomes easy with email ID's . But then again, to each, his own.
Yes "forgot password" is easy that way. It's also easy for the hacker who hijacks the email account used to sign into the site. Not only does the owner of the email account lose access to their email itself, but to any web site that user accesses using their email address as their login. Worse yet, it's highly likely there's information available in their email that gives the hacker good clues as to what online services they actually use.
Convenience is the enemy of security. The trick is to understand the risks in order to find the right balance. Ideally multi-factor authentication should be used for any sensitive online service, which is certainly not convenient, but is vital to protecting online identity.
As for remembering login information, that's what password managers are for. I myself have well over 100 logins stored in my password manager each one with unique auto-generated passwords. With such a tool I only have to remember (and protect) a single password.
Any conveniences employed by online services do nothing for me besides reduce the level of security of that given service.
What happens when the user wants to change their email address? I've encountered sites where I haven't been able to do this as it is the key thing associated with the account on that site. I've lost accounts because of this, and they weren't just minor things. One was Amazon, although it was a long time ago now.
