Sign in through GitHub

RailsCasts Pro episodes are now free!

Learn more or hide this

Robert K's Profile

GitHub User: rk


Comments by Robert K



One problem with your method is that, while the authentication tokens cannot be guessed they can be duplicated and used on another system. It's close to session fixation. I think that the user record should probably store their log-in OS/Browser checksum to validate any returning users.

At least then it would be harder to steal a session.