User:Rshah5/sandbox

Introduction
AuthLogic and Devise are both Ruby gems that provide the same service, authentication. While they are similar in most cases, their differences make them individual gems.This Wiki Page is a comparative study on these two Ruby gems.

AuthLogic has 65 versions with the latest one being version 3.4.6, released on July 13th, 2015. The first version was released on 3rd November, 2008. The author for AuthLogic is Ben Johnson of Binary Logic. The gem that was popular before AuthLogic was restful_authentication. Unlike restful_authentication, AuthLogic generates only the authentication logic and not the Model-View-Controller pattern thereby resulting in a clean and uncomplicated code that is relatively easier to understand.

Devise has a total of 136 versions between it’s first version in October 21, 2009 and latest one in August 10, 2015. The authors of this gem are José Valim and Carlos Antônio.

Syntax and Examples
=== Devise === rails generate devise 

This is used to create the devise functionality to any model named “MODEL”. before_ :authenticate_ !

As the command suggests, this is used to authenticate a particular model before an action is performed. If the result of this is false, then the action is not performed. current_user

This method returns the user which is currently logged in the system.

user_signed_in?

This method checks whether the user has signed in or not.

Authlogic
To create a new session. To save the session. To destroy the session. Persisting a session (i.e. finding the record) across requests. It keeps the user logged in.

Devise
On 25th November 2010, Plataformatec had released Devise 1.0.9 to fix a vulnerability caused due to session fixation. This attack affected server stores like ActiveRecord and MemCached. But had no effect on cookie based stores which is provided by Rails by default.

On 26th Jan, 2013, Plataformatec fixed a bug which involved the conversion of string so that it does not return incorrect records. Previously, an attacker could shoot a query which could provide unauthorised access.

A similar fixation attack was made on the CSRF token later in August 2013. This vulnerability allowed the attackers to perform cross-site forgery request to the server. The vulnerability was solved by deleting the CSRF token after the authentication has been made.

Currently, the latest version 3.5.2, no vulnerabilities are reported.

AuthLogic
AuthLogic hasn’t had any such security issue till date. However, the first reported vulnerability was in January, 2013 where AuthLogic was known to trigger SQL Injection in Rails. In the exploitable scenario, two things were required to be known:

1) Whether AuthLogic was being used.

2) Whether the session secret token was known.

However, how exactly the vulnerability worked was not explained resulting in confusion. The solution to overcome this vulnerability was to upgrade to the latest Rails version or to uphold the secrecy of the session token, by ensuring the default one isn’t used for every new session.