lastk/application.html.erb

## application.html.erb
<!-- layout file -->
<% if current_user %>
  Welcome <%= current_user.username %>. Not you? <%= link_to "Log out", logout_path %>
<% else %>
  <%= link_to "Sign up", signup_path %> or <%= link_to "log in", login_path %>.
<% end %>

## application_controller.rb
class ApplicationController < ActionController::Base
  helper_method, :current_user

  private

  def current_user
    @current_user ||= User.find(session[:user_id]) if session[:user_id]
  end

  # call this as a before_filter to require them to be logged in
  def login_required
    if current_user.nil?
      redirect_to login_url, :alert => "You must first log in or sign up before accessing this page."
    end
  end
end

## new.html.erb
<!-- login form under views/sessions/new.html.erb -->
<%= form_tag sessions_path do %>
  <p>
    <%= label_tag :login, "Username or Email Address" %><br />
    <%= text_field_tag :login, params[:login] %>
  </p>
  <p>
    <%= label_tag :password %><br />
    <%= password_field_tag :password %>
  </p>
  <p><%= submit_tag "Log in" %></p>
<% end %>

## routes.rb
match 'signup' => 'users#new', :as => :signup
match 'logout' => 'sessions#destroy', :as => :logout
match 'login' => 'sessions#new', :as => :login
resources :sessions
resources :users

## sessions_controller.rb
class SessionsController < ApplicationController
  def new
  end

  def create
    user = User.authenticate(params[:login], params[:password])
    if user
      session[:user_id] = user.id
      redirect_to root_url, :notice => "Logged in successfully."
    else
      flash.now[:alert] = "Invalid login or password."
      render :action => 'new'
    end
  end

  def destroy
    session[:user_id] = nil
    redirect_to root_url, :notice => "You have been logged out."
  end
end

## user.rb
# run: rails g model User username:string email:string password_hash:string password_salt:string
class User < ActiveRecord::Base
  # new columns need to be added here to be writable through mass assignment
  attr_accessible :username, :email, :password, :password_confirmation

  attr_accessor :password
  before_save :prepare_password

  validates_presence_of :password, :on => :create
  validates_confirmation_of :password
  validates_length_of :password, :minimum => 4, :allow_blank => true
  # you may want to add validations to email/username here too

  # login can be either username or email address
  def self.authenticate(login, pass)
    user = find_by_username(login) || find_by_email(login)
    return user if user && user.matching_password?(pass)
  end

  def matching_password?(pass)
    self.password_hash == encrypt_password(pass)
  end

  private

  def prepare_password
    unless password.blank?
      self.password_salt = BCrypt::Engine.generate_salt
      self.password_hash = encrypt_password(password)
    end
  end

  def encrypt_password(pass)
    BCrypt::Engine.hash_secret(pass, password_salt) # add to Gemfile: gem "bcrypt-ruby", :require => "bcrypt"
  end
end
	<!-- layout file -->
	<% if current_user %>
	Welcome <%= current_user.username %>. Not you? <%= link_to "Log out", logout_path %>
	<% else %>
	<%= link_to "Sign up", signup_path %> or <%= link_to "log in", login_path %>.
	<% end %>
	class ApplicationController < ActionController::Base
	helper_method, :current_user

	private

	def current_user
	@current_user \|\|= User.find(session[:user_id]) if session[:user_id]
	end

	# call this as a before_filter to require them to be logged in
	def login_required
	if current_user.nil?
	redirect_to login_url, :alert => "You must first log in or sign up before accessing this page."
	end
	end
	end
	<!-- login form under views/sessions/new.html.erb -->
	<%= form_tag sessions_path do %>
	<p>
	<%= label_tag :login, "Username or Email Address" %><br />
	<%= text_field_tag :login, params[:login] %>
	</p>
	<p>
	<%= label_tag :password %><br />
	<%= password_field_tag :password %>
	</p>
	<p><%= submit_tag "Log in" %></p>
	<% end %>
	match 'signup' => 'users#new', :as => :signup
	match 'logout' => 'sessions#destroy', :as => :logout
	match 'login' => 'sessions#new', :as => :login
	resources :sessions
	resources :users
	class SessionsController < ApplicationController
	def new
	end

	def create
	user = User.authenticate(params[:login], params[:password])
	if user
	session[:user_id] = user.id
	redirect_to root_url, :notice => "Logged in successfully."
	else
	flash.now[:alert] = "Invalid login or password."
	render :action => 'new'
	end
	end

	def destroy
	session[:user_id] = nil
	redirect_to root_url, :notice => "You have been logged out."
	end
	end
	# run: rails g model User username:string email:string password_hash:string password_salt:string
	class User < ActiveRecord::Base
	# new columns need to be added here to be writable through mass assignment
	attr_accessible :username, :email, :password, :password_confirmation

	attr_accessor :password
	before_save :prepare_password

	validates_presence_of :password, :on => :create
	validates_confirmation_of :password
	validates_length_of :password, :minimum => 4, :allow_blank => true
	# you may want to add validations to email/username here too

	# login can be either username or email address
	def self.authenticate(login, pass)
	user = find_by_username(login) \|\| find_by_email(login)
	return user if user && user.matching_password?(pass)
	end

	def matching_password?(pass)
	self.password_hash == encrypt_password(pass)
	end

	private

	def prepare_password
	unless password.blank?
	self.password_salt = BCrypt::Engine.generate_salt
	self.password_hash = encrypt_password(password)
	end
	end

	def encrypt_password(pass)
	BCrypt::Engine.hash_secret(pass, password_salt) # add to Gemfile: gem "bcrypt-ruby", :require => "bcrypt"
	end
	end