Jump to content

User:Rshah5/sandbox

From Wikipedia, the free encyclopedia


Introduction

[edit]

AuthLogic and Devise are both Ruby gems that provide the same service, authentication. While they are similar in most cases, their differences make them individual gems.This Wiki Page is a comparative study on these two Ruby gems.

AuthLogic has 65 versions with the latest one being version 3.4.6, released on July 13th, 2015. The first version was released on 3rd November, 2008. The author for AuthLogic is Ben Johnson of Binary Logic[1]. The gem that was popular before AuthLogic was restful_authentication. Unlike restful_authentication, AuthLogic generates only the authentication logic and not the Model-View-Controller pattern thereby resulting in a clean and uncomplicated code that is relatively easier to understand.[2]

Devise has a total of 136 versions between it’s first version in October 21, 2009 and latest one in August 10, 2015. The authors of this gem are José Valim and Carlos Antônio.[3]

Comparison[1][3]

[edit]
Parameters Devise AuthLogic
Latest Version 3.5.2 3.4.6
Latest Release Date August 10, 2015 July 13, 2015
Software License MIT MIT
Platform Cross-Platform Cross-Platform
Security Grade[4] 750 750
Full Stack Yes No
Omni-Auth Support[5] Yes Yes
Runtime Dependencies bcrypt ~> 3.0

orm_adapter ~>0.1

railties <5,>=3.2.6

responders >=0

thread_safe ~>0.1

warden ~>1.2.3

activerecord >= 3.2

activesupport >= 3.2

request_store ~> 1.0

scrypt < 3.0, >= 1.2

ORM supported ActiveRecord and Mongoid ActiveRecord
Rails Version 1.9.3 3
Custom Controllers[6] Yes Yes
Activejob Integration Yes Yes

Syntax and Examples

[edit]

Devise[7]

[edit]

rails generate devise <MODEL>

This is used to create the devise functionality to any model named “MODEL”.

> rails generate devise User

before_<ACTION> :authenticate_<MODEL> ! As the command suggests, this is used to authenticate a particular model before an action is performed. If the result of this is false, then the action is not performed.

> before_filter :authenticate_user!

current_user

This method returns the user which is currently logged in the system.

user_signed_in?

This method checks whether the user has signed in or not.

Authlogic[8]

[edit]

To create a new session.

UserSession.create(:login => "name", :password => "password", :remember_me => true)

To save the session.

session.save

To destroy the session.

session.destroy

Persisting a session (i.e. finding the record) across requests. It keeps the user logged in.

session = UserSession.find

Security

[edit]

Devise

[edit]

On 25th November 2010, Plataformatec had released Devise 1.0.9 to fix a vulnerability caused due to session fixation. This attack affected server stores like ActiveRecord and MemCached. But had no effect on cookie based stores which is provided by Rails by default.[9]

On 26th Jan, 2013, Plataformatec fixed a bug which involved the conversion of string so that it does not return incorrect records. Previously, an attacker could shoot a query which could provide unauthorised access.[10]

A similar fixation attack was made on the CSRF token later in August 2013. This vulnerability allowed the attackers to perform cross-site forgery request to the server. The vulnerability was solved by deleting the CSRF token after the authentication has been made.[11]

Currently, the latest version 3.5.2, no vulnerabilities are reported.

AuthLogic

[edit]

AuthLogic hasn’t had any such security issue till date. However, the first reported vulnerability was in January, 2013 where AuthLogic was known to trigger SQL Injection in Rails. In the exploitable scenario, two things were required to be known:

1) Whether AuthLogic was being used.

2) Whether the session secret token was known.

However, how exactly the vulnerability worked was not explained resulting in confusion. The solution to overcome this vulnerability was to upgrade to the latest Rails version or to uphold the secrecy of the session token, by ensuring the default one isn’t used for every new session.[12]

[edit]

References

[edit]
  1. ^ a b "authlogic | RubyGems.org | your community gem host". rubygems.org. Retrieved 2015-09-16.
  2. ^ "#160 Authlogic - RailsCasts". railscasts.com. Retrieved 2015-09-16.
  3. ^ a b "devise | RubyGems.org | your community gem host". rubygems.org. Retrieved 2015-09-16.
  4. ^ SECUR1TY. "SECUR1TY: Security search engine and marketplace". secur1ty.com. Retrieved 2015-09-16.{{cite web}}: CS1 maint: numeric names: authors list (link)
  5. ^ "http://devise.plataformatec.com.br/". {{cite web}}: External link in |title= (help)
  6. ^ "Bare-bone, stripped-down Devise". Retrieved 2015-09-16.
  7. ^ "Devise: flexible authentication solution for Rails". Retrieved 2015-09-16.
  8. ^ "binarylogic/authlogic". GitHub. Retrieved 2015-09-16.
  9. ^ "Session fixation vulnerability in Devise". Retrieved 2015-09-16.
  10. ^ "Security announcement: Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 released". Retrieved 2015-09-16.
  11. ^ "CSRF Token Fixation Attack in Devise".
  12. ^ "Rails SQL injection vulnerability: hold your horses, here are the facts". Phusion Blog. Retrieved 2015-09-16.