should I limit attempts to login rails?

Question

I'm thinking about building a login system for Ruby on Rails, much like this one

http://visionmasterdesigns.com/tutorial-create-a-login-system-in-ruby-on-rails/

In terms of security, should I limit the attempts a user can have to login if they get their username wrong?

Also,The basic steps of logins seem to be:

• authenticating username and password against those in database
• if authentic username and password, create a session variable
• before filter so that pages require login are protected.

Is there anything else I should consider?

Answer 1

Yes limiting the number of login attempts per ip (not per session) increases security.

Do you know there is already several authentication systems with Rails ? There's no need to reinvent the wheel.
Here's is a non exhaustive list.

• Clearance
• AuthLogic
• Restful Authentication

If you do not wish to use any, you can take example on what they're doing.

Edit 2013
The libraries provided above aren't up to date anymore, and I couldn't recommand using them in a new application. Take a look at devise.