User Authentication with Rails and Backbone.js
42floors.comOne of the fundamental difficulties of handling login with Backbone.js is that your regular site is usually served off HTTP, but you want to send credentials via HTTPS, which requires various hacks, or a full page refresh. By posting up something that doesn't handle that problem, I'm afraid that the OP is putting a newbie who isn't aware of that problem in danger since they are apt to copy this tutorial verbatim.
If you are transmitting the login information over SSL, I would assume that you already have SSL configured. Why not just serve the whole site over SSL constantly? That would fix this issue and provide better security by making it impossible for a MITM to redirect the login form to the HTTP version (or, if you are using an iframe, MITM the iframe over plain HTTP)
> Why not just serve the whole site over SSL constantly?
Because now you have to serve every single bit of your page over SSL (to avoid security warnings) and that means none of your page content can be cached. It also makes relatively mundane things, like having your proxy server communicate the originating ip address, much harder. I can set up haproxy to add an X-Forwarded-For header in almost no time flat. In fact I just gave you enough information to google that solution for yourself. Solving that problem over SSL is much harder.
Engineering a MITM attack is much more technically difficult than snooping traffic. Not every company actually need to turn the security knob up to 11 on this aspect, and being able to do unencrypted-page-with-encrypted-login is a good trade-off when you can make it.
None of your page content can be cached? Just add a Cache-Control header — done and done, even for people with relatively old browsers.
What "various hacks" does submitting an HTTPS login form require?
For what it's worth, if you want real HTTPS security, you can't serve pages from your "regular site" over HTTP -- especially pages with a login form on them -- doing so is an invitation for a man in the middle to step in and phish your visitors.
I do not mean submitting an HTTPS login form, which works just fine, but forces a full page refresh. I mean capturing a submit and sending the credentials via AJAX, but to HTTPS, which is forbidden by the security sandbox. You end up doing various unkosher things like bringing up the login form over HTTPS in an iframe while the site itself is brought up over HTTP.
Yes, this is fundamentally insecure, and I am aware that this is not a problem with Backbone specifically, but a general problem with the approach of building browser apps without page refreshes over HTTP for everything except for the login screen.
Have you looked into cross-origin resource sharing? It doesn't support all browsers, but it may be a great solution for browsers that support it. http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
It would be very interesting if you could write a blog post and an example project illustrating how to do this. I think many could benefit from this knowledge.
I'm afraid that the end conclusion of that blog post would be the same that jashkenas mentioned in the GP: serve your whole site over HTTPS.
Thank you for pointing this out. As someone who hasn't explicitly tried out backbone.js yet but wanted to use it for a future project, this is something that was at the back of my mind.
Yes, this is true. I'll mention this in an update. When working in dev I've always just used regular HTTP. I'll mention how to configure Rails to use SSL.
You probably want attr_accessible in there.
Why the custom password handling when they could just have used rail's new http://apidock.com/rails/ActiveModel/SecurePassword/ClassMet... feature?
Or just use devise. Backbone will work just fine with it.
Does Devise handle XHR and JSON (requests/responses) out of the box?
Yes.
1.3.1
*sessions/new and registrations/new also respond to xml and json now
As always this looks like very useful information for people looking for office space!