Home arrow Ruby-on-Rails arrow Login Systems and More with Ruby on Rails

Login Systems and More with Ruby on Rails

In this third article of a six-part series covering web development and Ruby on Rails, you'll learn how to add some very desirable features to your web application. This article is excerpted from chapter 15 of the Ruby Cookbook, written by Lucas Carlson and Leonard Richardson (O'Reilly, 2006; ISBN: 0596523696). Copyright 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

Author Info:
By: O'Reilly Media
Rating: 4 stars4 stars4 stars4 stars4 stars / 39
April 05, 2007
  1. · Login Systems and More with Ruby on Rails
  2. · 15.9 Storing Hashed User Passwords in the Database
  3. · 15.10 Escaping HTML and JavaScript for Display
  4. · 15.11 Setting and Retrieving Session Information

print this article

Login Systems and More with Ruby on Rails
(Page 1 of 4 )

15.8 Creating a Login System


You want your application to support a login system based on user accounts. Users will log in with a unique username and password, as in most commercial and community web sites.


Create a users table that contains nonnull username and password fields. The SQL to create this table should look something like this MySQL example:

  use mywebapp_development;
  CREATE TABLE `users` (
`username` VARCHAR(255) NOT NULL,
    `password` VARCHAR(40) NOT NULL,
    PRIMARY KEY (`id`)

Enter the main directory of the application and generate a User model corresponding to this table:

  $ ./script/generate model User
        exists  app/models/
        exists  test/unit/
        exists  test/fixtures/
        create  app/models/user.rb
        create  test/unit/user_test.rb 
        create  test/fixtures/users.yml

Open the generated file app/models/user.rb and edit it to look like this:

  class User < ActiveRecord::Base 
    validates_uniqueness_of :username 
    validates_confirmation_of :password, :on => :create
    validates_length_of :password, :within => 5..40

    # If a user matching the credentials is found, returns the User object.
    # If no matching user is found, returns nil.
    def self.authenticate(user_info)


Now you've got a User class that represents a user account, and a way of validating a username and password against the one stored in the database.


The simple User model given in the Solution defines a method for doing username/password validation, and some validation rules that impose limitations on the data to be stored in the users table. These validation rules tell User to:

  • Ensure that each username is unique. No two users can have the same username.
  • Ensure that, whenever the password attribute is being set, the password_confirmation attribute has the same value.
  • Ensure that the value of the password attribute is between 5 and 40 characters long.

Now let's create a controller for this model. It'll have a login action to display the login page, a process_login action to check the username and password, and a logout action to deauthenticate a logged-in session. So that the user accounts will actually do something, well also add a my_account action:

  $ ./script/generate controller user login process_login logout my_account
        exists  app/controllers/
        exists  app/helpers/
        create  app/views/user
        exists  test/functional/
        create  app/controllers/ user_controller.rb
        create  test/functional/ user_controller_test.rb
        create  app/helpers/user_helper.rb
        create  app/views/user/login.rhtml
        create  app/views/user/ process_login.rhtml
        create  app/views/user/logout.rhtml

Edit app/controllers/user_controller.rb to define the three actions:

  class UserController < ApplicationController
def login
      @user = User.new
      @user.username = params[:username]

    def process_login
if user = User.authenticate(params[:user])
        session[:id] = user.id # Remember the user's id during this session
        redirect_to session[:return_to] || '/'
        flash[:error] = 'Invalid login.'
        redirect_to :action => 'login', :username => params[:user][:username]

    def logout
      flash[:message] = 'Logged out.'
      redirect_to :action => 'login'

    def my_account

Now for the views. The process_login and logout actions just redirect to other actions, so we only need views for login and my_account. Here's a view for login:

  <!-- app/views/user/login.rhtml -->
  <% if @flash[:message] %><div><%= @flash[:message] %></div><% end %>
  <% if @flash[:error] %><div><%= @flash[:error] %></div><% end %>

  <%= form_tag :action => 'process_login'
Username: <%= text_field "user", "username" %>&#x00A;
    Password: <%= password_field "user", "password" %>&#x00A;
    <%= submit_tag %>
<%= end_form_tag %>

The @flash instance variable is a hashlike object used to store temporary messages for the user between actions. When the logout action sets flash[:message] and redirects to login, or process_login sets flash[:error] and redirects to login, the results are available to the view of the login action. Then they get cleared out.

Here's a very simple view for my_account:

  <!-- app/views/user/my_account.rhtml -->
  <h1>Account Info</h1>

  <p>Your username is <%= User.find(session[:id]).username %>

Create an entry in the users table, start the server, and you'll find that you can log in from http://localhost:3000/user/login, and view your account information from http:// localhost:3000/user/my_account.

  $ ./script/runner 'User.create(:username => "johndoe", \
                                 :password => "changeme")'

There's just one missing piece: you can visit the my_account action even if you're not logged in. We don't have a way to close off an action to unauthenticated users. Add the following code to your app/controllers/application.rb file:

  class ApplicationController < ActionController::Base
    before_filter :set_user

    def set_user
      @user = User.find(session[:id]) if @user.nil? && session[:id]

    def login_required
      return true if @user
      return false

    def access_denied
      session[:return_to] = request.request_uri
      flash[:error] = 'Oops. You need to login before you can view that page.'
      redirect_to :controller => 'user', :action => 'login'

This code defines two filters, set_user and login_required, which you can apply to actions or controllers. The set_user filter is run on every action (because we pass it into before_filter in ApplicationController, the superclass of all our controllers). The set_user method sets the instance variable @user if the user is logged in. Now information about the logged-in user (if any) is available throughout your application. Action methods and views can use this instance variable like any other. This is useful even for actions that don't require login: for instance, your main layout view might display the name of the logged-in user (if any) on every page.

You can prohibit unauthenticated users from using a specific action or controller by passing the symbol for the login_required method into before_filter. Here's how to protect the my_account action defined in app/controllers/user_controller.rb:

  class UserController < ApplicationController
    before_filter :login_required, :only => :my_account

Now if you try to use the my_account action without being logged in, you'll be redirected to the login page.

See Also

  1. Recipe 13.14, "Validating Data with ActiveRecord"
  2. Recipe 15.6, "Integrating a Database with Your Rails Application"
  3. Recipe 15.9, "Storing Hashed User Passwords in the Database"
  4. Recipe 15.11, "Setting and Retrieving Session Information"
  5. Rather than doing this work yourself, you can install the login_generator gem and use its login generator: it will give your application a User model and a controller that implements a password-based authentication system; see http://wiki. rubyonrails.com/rails/pages/LoginGenerator; also see http://wiki.rubyonrails.com/ rails/pages/AvailableGenerators for other generators (including the more sophisticated model_security_generator)

blog comments powered by Disqus

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials