Here is a list of security issues that my authentication system has to address (I know there are already plugins for this, I want to create my own -- I'm just like that! ((especially since I want to learn how to do it)).
- using rails form forgery protection
- storing a guid as the auth_token in the cookie, not the user id. Have this token expire every x time, and regenerate a new one.
- store failed_login attempts, and lock the account
- store encrypted passwords in the db, with each user having their own salt
Is there anything else that comes to mind? I'm looking over authlogic right now to see what else they may be doing.