A few weeks past, I added a password reset feature. This was quite straight-forward: I just followed the password-reset tutorial and was up & running pretty quickly.
However, when I did some additional testing on the basic authlogic functionality, I noticed that it took a very simplistic approach to providing error messages for login failures: it would report "Invalid email address" or "Invalid password" if either of those fields were in error. This is not good security: an attacker could determine a valid email address and then use it for social engineering to gain further information.
Support to fix this is already in Authlogic -- it's just not the default behavior. You have to add the following method call to your UserSession class:
class UserSession < Authlogic::Session::Base
More details can be found at: http://railsapi.com/doc/authlogic-v2.1.3/classes/Authlogic/Session/Password/Config.html#M000178
This post is mostly about collecting the various sources of information about Authlogic -- it's such a popular Rails plugin, that there are many search results, some of them dead or not very helpful. I spent almost an hour googling to find the right stuff, and figured I'd post what I found in case it might save someone else some time.
General github/authlogic documentation page: http://rdoc.info/projects/binarylogic/authlogic. The "documentation" link sends you to an RDoc Info page: the main page is an overview, and you get more detail by clicking on the 3 buttons in the upper right-hand corner: "Namespace list", "Method list", and "File list".
More documentation can also be found at: http://railsapi.com/doc/authlogic-v2.1.3/ .
All in all, really good stuff!