Understanding the Rails Authenticity Token

What happens

When the user views a form to create, update, or destroy a resource, the Rails app creates a random authenticity_token, stores this token in the session, and places it in a hidden field in the form. When the user submits the form, Rails looks for the authenticity_token, compares it to the one stored in the session, and if they match the request is allowed to continue.

Why it happens

Since the authenticity token is stored in the session, the client cannot know its value. This prevents people from submitting forms to a Rails app without viewing the form within that app itself. Imagine that you are using service A, you logged into the service and everything is ok. Now imagine that you went to use service B, and you saw a picture you like, and pressed on the picture to view a larger size of it. Now, if some evil code was there at service B, it might send a request to service A (which you are logged into), and ask to delete your account, by sending a request to http://serviceA.com/close_account. This is what is known as CSRF (Cross Site Request Forgery).

Configure Authlogic to log in with “username” OR “email”

Its very simple to implement Authlogic to use multiple attributes for login.

For example if you want to enable user to login with either email or username, you just need to add the following things to your code:

class UserSession < Authlogic::Session::Base 
  find_by_login_method :find_by_username_or_email
end

and in user.rb

def self.find_by_username_or_email(login)
  User.find_by_username(login) || User.find_by_email(login)
end