Authentication is the act of confirming that somebody is geniune or real. In our case Authentication means validating that a person is who they say they are by allowing them to tell us a secret that only the two of us know. This differs from Authorization. Authorization is the act of allowing or dissallowing actions for a user.

Devise is the answer. Always use devise. Many people try to roll their own auth, but unless you have strong crypto experience and a deep understanding of common attacks, I would not advise this. While devise is the easy answer there are some thigns devise can't do. There are also times when you want to use someone else for your auth.

from scrath

devise rails cast

devise git

secure an api

auth through someone else

oauth

facebook

stubbing out authenticate_user

https://github.com/plataformatec/devise/wiki/How-To:-Stub-authentication-in-controller-specs

using rspec sign_in and factory girl

https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-3-and-4-(and-RSpec)

People are evil and tricky.

sql injection

timing attacks

store hashed/encrypted passwords only