[RFC] Registration & Login Overhaul

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
XTF
Registered User
Posts: 49
Joined: Sun Dec 04, 2011 6:31 pm

Re: [RFC] Registration & Login Overhaul

Post by XTF »

imkingdavid wrote: I agree with being able to login with either username or email, but there are some cases in which users might have multiple usernames associated with one email address that, which could become problematic.
If multiple rows match, you could fallback to matching on username only.
I think using JS for more than a "Username / email adress is valid and available" message is useless.

The idea of only having an email adress field on the first form is good.
The second form could have username and password fields. Providing a randomly generated password might be nice too.

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Registration & Login Overhaul

Post by imkingdavid »

XTF wrote:
imkingdavid wrote: I agree with being able to login with either username or email, but there are some cases in which users might have multiple usernames associated with one email address that, which could become problematic.
If multiple rows match, you could fallback to matching on username only.
I think using JS for more than a "Username / email adress is valid and available" message is useless.

The idea of only having an email adress field on the first form is good.
The second form could have username and password fields. Providing a randomly generated password might be nice too.
We ultimately there should only be one email required for activating/logging in initially. If we have one form for just the email address, which sends an activation link, and then the second form for the username, which then sends a random password, that is just extra work to have to keep checking your email to register. I think that one or the other method should be used, not both. So either an activation link or a random password.

But yes, having a very short registration form is, in my opinion, the ideal method of registration. It's easy and quick on the user's side if they just want to get started without having to fill out their profile and non-essential account information up front. It's also not too much extra work on the server side; less code, and less information is being transferred at once (only one or two form fields at a time instead of the current amount).
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

XTF
Registered User
Posts: 49
Joined: Sun Dec 04, 2011 6:31 pm

Re: [RFC] Registration & Login Overhaul

Post by XTF »

imkingdavid wrote: We ultimately there should only be one email required for activating/logging in initially. If we have one form for just the email address, which sends an activation link, and then the second form for the username, which then sends a random password, that is just extra work to have to keep checking your email to register. I think that one or the other method should be used, not both. So either an activation link or a random password.
You wouldn't send two emails. You'd either display the random password after activation or you'd include it in the first email. Emailing it has a security implication though.

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Registration & Login Overhaul

Post by imkingdavid »

XTF wrote:
imkingdavid wrote: We ultimately there should only be one email required for activating/logging in initially. If we have one form for just the email address, which sends an activation link, and then the second form for the username, which then sends a random password, that is just extra work to have to keep checking your email to register. I think that one or the other method should be used, not both. So either an activation link or a random password.
You wouldn't send two emails. You'd either display the random password after activation or you'd include it in the first email. Emailing it has a security implication though.
Right... if you're generating a random password, you wouldn't also generate an activation key. As I said, it's one or both.

As for security, ultimately either the activation key or the password is going to have to be emailed in plain text for the user to be able to use. I could understand it being a security issue if we emailed the user's chosen password plaintext, it isn't any more insecure to email the random password than the random activation key. Either way, they should be required to enter a new password to finalize registration.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

XTF
Registered User
Posts: 49
Joined: Sun Dec 04, 2011 6:31 pm

Re: [RFC] Registration & Login Overhaul

Post by XTF »

imkingdavid wrote:Either way, they should be required to enter a new password to finalize registration.
Why would you require that?

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Registration & Login Overhaul

Post by imkingdavid »

XTF wrote:
imkingdavid wrote:Either way, they should be required to enter a new password to finalize registration.
Why would you require that?
If you send the email with an activation link, the user won't have a password set yet so they will need to enter a password. If you send instead a randomly generated password, as you said that is not secure because it's plaintext in the email, so they should have to enter a new password to finalize their registration. Same idea, really, since it's still one random code being generated and the user is entering their own password. In fact, it's almost the exact same thing except one is where the user clicks a link and the other is where the user enters the code manually.

So ultimately, this is how I envision the registration: User enters email address and receives unique code/link. User clicks link and is brought to new page to enter username and password. User enters information and is logged in automatically (related 3.1 RFC). User is directed to a "First Login Landing Page" or something with quick links to things like account information (to further set up account/profile details), forum index, etc. Alternately, if the user came from a page in the forum to register, he should directed back to that upon successful registration/auto login.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [RFC] Registration & Login Overhaul

Post by Oleg »

Keep in mind it is possible to set up a board to not require (functioning) email addresses for registration, this needs to continue working.

XTF
Registered User
Posts: 49
Joined: Sun Dec 04, 2011 6:31 pm

Re: [RFC] Registration & Login Overhaul

Post by XTF »

Sure. If activation is disabled just skip the first form (and activation) and add the email field to the second form.

grahamperrin
Registered User
Posts: 2
Joined: Sun Oct 28, 2012 10:48 am

another related RFC

Post by grahamperrin »

Another related requested for comments: [RFC] Auth Plugin Refactoring & User Integration (2012-04-24)

Post Reply