December 18, 2011 at 23:50Do I need authorization after registration?
While designing one service, I thought : does it make sense to authorize the user immediately after registration or is it better not to do this? On the one hand, the experience of the vast majority of sites tells us that visitors are used to the fact that after the registration procedure, nothing more prevents them from using the services of the site. On the other hand, many people use all kinds of applications and password managers (integrated into the browser or third-party services), which means that the next time they log in, they will have to remember their username and password instead of logging in almost automatically.
Instead of choosing which option is more convenient, it makes sense to take advantage of both methods and reduce the user registration scheme to such that after sending the data entered into the registration form, the user gets to the authorization page, where all necessary information (do not forget to write to the database not the password itself, but, for example, its salty hash). By clicking the “Login” button, the user can save their username and password in the password manager, and the registration procedure is complicated by just one step. Even the option with automatic password generation and sending it to e-mail requires more action.
If someone wants to try, I made a simple example of a system that shows the overall development of the script.
In fact, from a security point of view, this approach is no weaker than the usual login option, but allows users to use a convenient and familiar tool for many to remember passwords. Another advantage of this modification is that in the registration form you can remove the password input fields, leaving there at best only a mail field.
Instead of choosing which option is more convenient, it makes sense to take advantage of both methods and reduce the user registration scheme to such that after sending the data entered into the registration form, the user gets to the authorization page, where all necessary information (do not forget to write to the database not the password itself, but, for example, its salty hash). By clicking the “Login” button, the user can save their username and password in the password manager, and the registration procedure is complicated by just one step. Even the option with automatic password generation and sending it to e-mail requires more action.
If someone wants to try, I made a simple example of a system that shows the overall development of the script.
In fact, from a security point of view, this approach is no weaker than the usual login option, but allows users to use a convenient and familiar tool for many to remember passwords. Another advantage of this modification is that in the registration form you can remove the password input fields, leaving there at best only a mail field.