Hi all,

I've currently developing a rails application which relies on a further application server to get and store data.

Regarding authentication, I'm currently looking at the brilliant Authlogic as a solution. However, I'm wondering whether it's worth moving the password storage and checking up to the application server.

It would work something like this:

1) A user submits a username and password to the Rails app. 2) Rails then passes these to the application server, which then checks the credentials and returns a user and time based auth key. 3) Rails then uses this key to access the application server. At the moment no key is required, and the Rails app can call anything on the application server.

Advantages: -If the Rails app or webserver it's running on is compromised, the there is no direct access to the application server (since the attacker would still not be able to generate auth keys).

Disadvantages: -Increased complexity. -Missing out on a lot of clever Authlogic stuff.

So I guess the general question is whether removing the authentication from the Rails application is overkill or not: should I instead assume managing passwords on Rails is just as strong as pushing it up the the application server? How do most Rails applications manage their passwords? How do they fare?