Home/ Questions/Q 7758741
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T13:26:33+00:00

I am trying to build a rails 3 back-end for a mobile application. However,

  • 0

I am trying to build a rails 3 back-end for a mobile application. However, I am new to creating rails 3 apps.

Users will need to have a session on the server, but I have no support for normal cookies, so I would need to send a session_id along with every request.

What kind of authentication system should I use in rails 3, is there a gem?

I have read that in rails 2 it was possible to set the session_id from the URL, but that this function is stripped from rails 3 due to security concerns. Is this even true? If there is a way to do this, I am very interested, despite the possible security holes.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Update

    A small update: Devise no longer has authentication_token as its implementation was deemed too insecure. A good alternative is Brian Auton’s suggestion.

    The summary of his method is that he generates an authentication_key AND authentication_secret in a separate model. You then authenticate by sending both your key and secret, if a match is found you are temporarily signed in as a user.

    In your application controller this looks like so:

    class ApplicationController < ActionController::Base
  before_filter :authenticate_from_token

  protected

  def authenticate_from_token
    if current_token.try :authenticatable
      sign_in token.authenticatable, store: false
    end
  end

  def current_token
    AuthenticationToken.find_authenticated({
      secret: (params[:secret] || request.headers[:secret]),
      secret_id: (params[:secret_id] || request.headers[:secret_id]),
    })
  end
end

    The authenticatable of the token in this case is a User model, or any other thing that has been made authenticatable (the tokens are polymorphic). As you can see it can easily be made to work with Devise.

    I like this method a lot and have implemented it in a recent API. Do read up on it on his website.

    Old answer

    Outdated answer, kept for reference to older versions of Devise: Devise has a ‘authentication_token’ column which I can use for authenticating a user. I could have a login API method which I will send a username + password too, then get the token back and store that locally to sign all my other calls with. It basically is a cookie system, but one that is directly supported by Devise.

    On top of this I could re-generate the token on either every call or on every ‘session’.

    • 0