
User Authentication with Rails and Backbone.js - waratuman
http://42floors.com/blog/posts/user-authentication-with-rails-and-backbone-js
======
YuriNiyazov
One of the fundamental difficulties of handling login with Backbone.js is that
your regular site is usually served off HTTP, but you want to send credentials
via HTTPS, which requires various hacks, or a full page refresh. By posting up
something that doesn't handle that problem, I'm afraid that the OP is putting
a newbie who isn't aware of that problem in danger since they are apt to copy
this tutorial verbatim.

~~~
pilif
If you are transmitting the login information over SSL, I would assume that
you already have SSL configured. Why not just serve the whole site over SSL
constantly? That would fix this issue _and_ provide better security by making
it impossible for a MITM to redirect the login form to the HTTP version (or,
if you are using an iframe, MITM the iframe over plain HTTP)

~~~
awj
> Why not just serve the whole site over SSL constantly?

Because now you have to serve every single bit of your page over SSL (to avoid
security warnings) and that means none of your page content can be cached. It
also makes relatively mundane things, like having your proxy server
communicate the originating ip address, much harder. I can set up haproxy to
add an X-Forwarded-For header in almost no time flat. In fact I just gave you
enough information to google that solution for yourself. Solving that problem
over SSL is much harder.

Engineering a MITM attack is _much_ more technically difficult than snooping
traffic. Not every company actually _need_ to turn the security knob up to 11
on this aspect, and being able to do unencrypted-page-with-encrypted-login is
a good trade-off when you can make it.

~~~
chc
None of your page content can be cached? Just add a Cache-Control header —
done and done, even for people with relatively old browsers.

------
patio11
You probably want attr_accessible in there.

------
rurounijones
Why the custom password handling when they could just have used rail's new
[http://apidock.com/rails/ActiveModel/SecurePassword/ClassMet...](http://apidock.com/rails/ActiveModel/SecurePassword/ClassMethods/has_secure_password)
feature?

------
darius
Or just use devise. Backbone will work just fine with it.

~~~
mshafrir
Does Devise handle XHR and JSON (requests/responses) out of the box?

~~~
atomical
Yes.

1.3.1

*sessions/new and registrations/new also respond to xml and json now

------
benologist
As always this looks like very useful information for people looking for
office space!

