rails, rolling my own authentication system, what are security issues I should be taking into consideration?

Question

Here is a list of security issues that my authentication system has to address (I know there are already plugins for this, I want to create my own -- I'm just like that! ((especially since I want to learn how to do it)).

1. using rails form forgery protection
2. storing a guid as the auth_token in the cookie, not the user id. Have this token expire every x time, and regenerate a new one.
3. store failed_login attempts, and lock the account
4. store encrypted passwords in the db, with each user having their own salt

Is there anything else that comes to mind? I'm looking over authlogic right now to see what else they may be doing.

Answer 1

Simply don't.

You are re-inventing this wheel and there's not serious reason why you should waste your valuable time on it.

Check out Ruby Toolbox for some ideas. I personally love Devise, so make sure to check that out. With Devise you have all your bases covered.