Authlogic vs Devise for Authentication in Rails

The following post has been written by Brian Morearty. Here he compares Authlogic to Devise.
I’m posting the following with his permission.

"Here’s my comparison. Please keep in mind this is after only having used Authlogic for a few months (I used it on another project) and Devise for a few hours:

• Authlogic and Devise take similar amounts of effort to understand at a high level.
• Both are highly customizable.
• Both have reasonable defaults.
• Both can be set up fairly quickly but it’s not a 5-minute job. They both require a number of steps that must be followed carefully. Miss one step and you’re banging your head against the wall for a while. For me the whole setup was a couple of hours in both cases, including time to understand the various configuration options.
• Both have good basic documentation. But I find both Authlogic and Devise are lacking in detailed documentation. For example, with Authlogic I have to spend quite a while hunting to find all the config options. And with Devise they list all the config options in the readme but I couldn’t find any good doc about exactly what each config option does in any level of detail.
• When something goes wrong (due to my error), I find Authlogic’s code kind of hard to debug. I did not spend a lot of time trying to debug Devise’s code.
• When a user logs in I like to set a cookie that has the username so I can access it from JavaScript. I know how to do this with Authlogic: add a line of code to UserSessionsController#create. How do I do it with Devise? I can’t see how. (I don’t want to do it on every page request. Just when they authenticate.)
• Devise’s doc says I can authenticate on any field I want, e.g. username instead of the default email field, by modifying the initializer. I did that but it still requires me to create an email field for each user. I want to authenticate on username, not email, and I don’t want to require the user to enter an email. I don’t see a way to do this without copying and pasting Devise::Schema#database_authenticatable and replacing ’email’ with ‘username’–and even if I do that it’s not obvious where to put my new module and how to make it callable.
• Both Authlogic and Devise have reasonable defaults. But I think Authlogic does a better job of making it easy to stray from the defaults if you want to. The previous point about email vs. username is an example of that. Similarly, Devise chunks database columns together into groups with names like “trackable” but doesn’t document the names of the columns it generates. Authlogic has you specify each column individually in your migration, which is a little more typing but lets you leave out individual fields you don’t want and lets you easily see the column names you are creating.

These last three points were the deal-breaker for me. I prefer Authlogic. I’m going to delete my Devise branch. If it were obvious to me that Devise was a lot better, I would take the time to figure out the best way to solve or work around the last three points. But it’s not at all obvious to me that either one is significantly better than the other.

They’re both super-popular and I expect them both to stick around for a while. Ruby-toolbox lists Authlogic and Devise as the #1 and #2 most popular methods of Authentication for Rails apps.

If you don’t care about the concerns I mentioned at the end of my list, you probably can’t go wrong with either one.

Brian Morearty

P.S. It’s not clear to me why “of course, devise is much better for SOA in the first place.” "
—–

Please visit Brian Morearty’s blog

Also, I wrote up a Devise Tutorial which will give you instructions on how to use it as well explain it a bit.