RailsCasts Pro episodes are now free!

Learn more or hide this

Robert K's Profile

GitHub User: rk

Site: http://www.voiceplex.net/

Comments by Robert K



One problem with your method is that, while the authentication tokens cannot be guessed they can be duplicated and used on another system. It's close to session fixation. I think that the user record should probably store their log-in OS/Browser checksum to validate any returning users.

At least then it would be harder to steal a session.