Login and logout let users enter and leave your app safely. It keeps their info private and controls access.
class SessionsController < ApplicationController def new # shows login form end def create user = User.find_by(email: params[:email]) if user&.authenticate(params[:password]) session[:user_id] = user.id redirect_to root_path, notice: 'Logged in!' else flash.now[:alert] = 'Invalid email or password' render :new end end def destroy session[:user_id] = nil redirect_to login_path, notice: 'Logged out!' end end
The session hash stores user info between requests.
authenticate checks the password securely.
session[:user_id] = user.id
session[:user_id] = nil
user = User.find_by(email: params[:email]) if user&.authenticate(params[:password]) # login success else # login fail end
This code shows a simple login form, a controller to handle login and logout, and routes to connect URLs.
# app/controllers/sessions_controller.rb class SessionsController < ApplicationController def new # renders login form end def create user = User.find_by(email: params[:email]) if user&.authenticate(params[:password]) session[:user_id] = user.id redirect_to root_path, notice: 'Logged in!' else flash.now[:alert] = 'Invalid email or password' render :new end end def destroy session[:user_id] = nil redirect_to login_path, notice: 'Logged out!' end end # app/views/sessions/new.html.erb <%= form_with url: login_path, method: :post do %> <div> <label for="email">Email:</label> <%= text_field_tag :email, nil, id: 'email', required: true %> </div> <div> <label for="password">Password:</label> <%= password_field_tag :password, nil, id: 'password', required: true %> </div> <div> <%= submit_tag 'Log in' %> </div> <% end %> # config/routes.rb Rails.application.routes.draw do get '/login', to: 'sessions#new' post '/login', to: 'sessions#create' delete '/logout', to: 'sessions#destroy' root 'welcome#index' end
Always use has_secure_password in your User model to handle password safely.
Use flash messages to show login success or failure clearly.
Protect pages by checking if session[:user_id] exists before allowing access.
Login saves user ID in session to remember them.
Logout clears session to end user access.
Use controller actions to handle login form, authentication, and logout.