imkingdavid wrote:Either way, they should be required to enter a new password to finalize registration.
Why would you require that?
If you send the email with an activation link, the user won't have a password set yet so they will need to enter a password. If you send instead a randomly generated password, as you said that is not secure because it's plaintext in the email, so they should have to enter a new password to finalize their registration. Same idea, really, since it's still one random code being generated and the user is entering their own password. In fact, it's almost the exact same thing except one is where the user clicks a link and the other is where the user enters the code manually.
So ultimately, this is how I envision the registration: User enters email address and receives unique code/link. User clicks link and is brought to new page to enter username and password. User enters information and is logged in automatically (related 3.1 RFC
). User is directed to a "First Login Landing Page" or something with quick links to things like account information (to further set up account/profile details), forum index, etc. Alternately, if the user came from a page in the forum to register, he should directed back to that upon successful registration/auto login.