Salted Hash Login Generator

Posted by Curtis Miller Curtis Miller

The remainder of the day, I worked with Ruby on Rails – I am a n00b, so be kind. I am currently looking at the requirements for login and registration. I rolled my own login and registration that was pretty simple using SHA1 encryption for the password, but it was extremely simplistic. So what other options are there besides reinventing the wheel?

There are several options for this particular functionality. The LoginGenerator was the first I found on the RoR Wiki, but I soon abandoned that in favor of a generator called the SaltedHashLoginGenerator that was referenced a few paragraphs down the page. It stated it was:

a newer descendant of this codebase adds ActionMailer support for changed and forgotten passwords, as well as account verification via a registration email with a custom URL sent to the user's registered address.

Sounds good to me. Talk about knocking out several requirements with one solution…if it works, that is. My advice to anyone thinking about the using the SHLG (1.1.1) is read all the documentation. I encountered several blogs that said “Don't use it!” or “I can't figure it out!”. Either they had an old, broken version or they did not RTFM. Some things that can be easily overlooked:

  1. Check if you have the iconv library installed. If not, then get it.
  2. After executing script/generate salted_login <User Name> <Localization Name> two files are produced that you need to read: README_<User Name>_LOGIN and README_<Localization Name>. If you read those and follow the instructions, then you should have no problems.
  3. Implicit multipart e-mail messages will not work with the Localization generator. See here or look in the Rails Recipes, pages 295-298. This caused me some frustration, but following the advice in the list thread worked. Unfortunately, I think this may impact the ability to localize the e-mails. Not a big deal for me at the moment, but it could be for some people. After making that change, you may add view files to app/views/<User Name>_notify for each part of your multipart message. For example, I have signup.text.html.rhtml and signup.text.plain.rhtml for my HTML and plain text messages respectively.

I hope this helps someone. Let me know your experiences with LoginGenerator, SaltedHashLoginGenerator, or suggestions on other alternatives.

Update: Also, if you modify a file in the config or lib directories then you must restart the server for the change to take effect.

Velocity Labs

Need web application development, maintenance for your existing app, or a third party code review?

Velocity Labs can help.

Hire us!