Automatic Authentication Security

I was asked by a stakeholder today that they want automatic login when a user registers.

At the moment our app registers → sends an email link → email link takes user to a confirm link → usr can login.

Im happy she is not :slight_smile:

My solution I have proposed is to use allauth so people can login with google/icloud etc.

I know you can do automatic login with django e.g.

if response.method == 'POST':
        form = RegisterForm(response.POST)
        if form.is_valid:
            username = form.cleaned_data.get('username')
            password = form.cleaned_data.get('password1')
            user =  authenticate(request,username=username, password=password)
            if user:
                login(request, user)
                return redirect..

This feels wrong right?

While researching I was looking for inspiration and was looking at taskrabbit and they have automatic login on registration?!

How do they do that? Do they have some serious AI threat detection in place?

The purpose of the “send a link”, “click a link” is not to secure your site. It’s only to prove that the individual registering has access to the email address they provided - frequently only needed for a password reset process, and to deter someone from trying to set up an account for someone else’s email address.

This can be addressed in a different way. Upon registration, the account is marked “unverified”. You send a verification email. Clicking on that link changes your status from unverified to verified. You then only ever send emails to verified accounts.

So the bottom line is, no. If you don’t absolutely need to verify that the email address supplied is valid, there is no implicit security threat created by an immediate login process.

Thanks Ken

That makes sense. My Intuition and security clearly don’t go hand in hand :slight_smile: