I get it, some of you have heard of Devise. That's cool and all but they recommend that if you're new to rails:

If you are building your first Rails application, we recommend you do not use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. ... [docs]

In order to "roll our own" authentication we're going to follow this tutorial.

Don't copy/paste the tutorial, this is the most important part and to avoid copy-pasta we're going to change some core pieces.

1. Your rails app can't be named "gif_vault".
2. Your rails app must not include any routes related to "gifs".
3. You must be able to explain these terms:

• `bcrypt`

  The bcrypt function is the default password hash algorithm for BSD and other systems ... [wiki]

  A method of doing one-way hashes of passwords.

• CSRF Token

  Synchronizer token pattern is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side. The token may be generated by any method that ensures unpredictability and uniqueness ... [wiki]

• has_secure_password

1. Don't let an authenticated user signup or login a second time.
2. Implement password_confirmation for new users.
3. Create the ability to "remember me" for users logging in.

• How long do you remember them for?

1. Add ability to reset a password.
2. Instead of a separate login view, give your site a navbar and add the login form to the nav.
3. Support 3rd-party authentication on your own.

• Could be github auth.

• Cookies & Sessions
• has_secure_password
• Rails Tutorial on Modeling Users
• Kinda Old Railscast
• Code Academy: Auth