Just a question for opinions - In the past developing with php (not that it should matter) , when preparing data for a user I generally set the query to filter not only by user.id but also by user.username. To me it just seemed to add a little more redundancy in the event some hacker figured out a way to login with someone elses id. Is this strategy something that makes sense in Rails as well ? Or in any web application ? Of course when they log in they must with their username and password.