While sessions expand your application-building possibilities, almost any interactive application that will be around for a while needs to be able to keep track of users. You might be a little startled to hear that Rails itself doesn’t include any mechanisms for tracking users, unlike most current web frameworks. That isn’t so much a failure as an opportunity for developers to create their own authentication approaches. Because you may want to allow users to log in through other services instead of a local username and password, the OmniAuth gem is a good place to start. (The code for this example is available in ch14/students007.)
OmniAuth uses Rack, staying a layer below most of your Rails work, and the convenience of offering both local and remote login possibilities is hard to beat.
You can find out much more about OmniAuth at https://github.com/intridea/omniauth/; in particular, there’s a list of authentication strategies at https://github.com/intridea/omniauth/wiki/List-of-Strategies/.
I strongly recommend Ryan Bates’ Railscasts presentations at http://railscasts.com/episodes/241-simple-omniauth/ and http://railscasts.com/episodes/304-omniauth-identity/. They start by using remote authentication and then come back to local. That may or may not be what you want when you’re getting started.
This chapter follows many of Bates’ approaches, but focuses on local authentication. Code is also simplified to be more readable for Ruby newbies, though ...