Simple Machines Community Forum

SMF Support => SMF 2.0.x Support => Topic started by: Jade Elizabeth on August 08, 2014, 01:56:43 AM

Title: Logged in after sign up?
Post by: Jade Elizabeth on August 08, 2014, 01:56:43 AM
I've noticed after signing up even though rego is immediate I still have to log in. Can I make it so it's already logged in?
Title: Re: Logged in after sign up?
Post by: Justyne on August 08, 2014, 03:30:00 AM
"Immediate" is not really intended to do that and I can't think of an easy way to make what you want happen.

Maybe having one of the integrated social login things would take care of this at least in part.
Title: Re: Logged in after sign up?
Post by: Kindred on August 08, 2014, 06:37:14 AM
no jade.. it won't work.

when you finish registration, it has to write a whole bunch of stuff to the database.
Only then can you actually log in using the credentials.
Title: Re: Logged in after sign up?
Post by: Arantor on August 08, 2014, 07:32:30 AM
Technically there's no reason why the session couldn't then be updated once that's done, in theory. Practice may make a liar of me, however. I know there is a reason it is done that way, only I can't remember it right now. Possibly because I'm shaking because I've just done something incredibly scary.
Title: Re: Logged in after sign up?
Post by: Jade Elizabeth on August 09, 2014, 02:46:14 AM
Quote from: ‽ on August 08, 2014, 07:32:30 AM
Technically there's no reason why the session couldn't then be updated once that's done, in theory. Practice may make a liar of me, however. I know there is a reason it is done that way, only I can't remember it right now. Possibly because I'm shaking because I've just done something incredibly scary.

What did you do?!


I've seen it on other websites and forum softwares....so I know it can happen :).
Title: Re: Logged in after sign up?
Post by: Arantor on August 09, 2014, 06:45:30 AM
Just because other people did it in their site does not mean either 1) it is a good idea or 2) it can be done in SMF without significant retooling.

I know there is a reason why it was done this way in SMF. I just can't remember why, because if it was done for a good reason maybe it's worth leaving it there.

Also, I shaved my 3 years' worth of beard growth. That is not something done lightly.
Title: Re: Logged in after sign up?
Post by: Ninja ZX-10RR on August 09, 2014, 09:01:01 AM
Hm Arantor. What if people used a disposable mail provider and other people could easily hack in each other's accounts? I think that might be the good reason.

This is because disposable email providers tend not to have security at ALL (for instance, mailinator and others), I mean, you can type in random characters and find an email from somebody, if you find the activation email and the login is automatical then you can easily hack that account, very easily. This is one of the reasons why I installed this mod (http://custom.simplemachines.org/mods/index.php?mod=1493) and spent more than 3 hours to research every disposable provider that I could find to restrict them by hand. I did it to try to protect people from their own stupidity (yeah I know that I can't stand a chance, LOL) but at least I tried :) anyway IMO the reason why you did it might be this one :)
Title: Re: Logged in after sign up?
Post by: Arantor on August 09, 2014, 09:10:13 AM
Well, that's just it, it's not a route towards cross-account hacking. It's about immediately using an existing account to create a new logged in session, and without worrying about sending out any kind of email (especially not a verification one, since the OP specifically said about immediate registration)

I would suspect it is about not creating too many extra code paths since after any other account matter like approval or reset password, you're not immediately logged in, and extra code paths introduce risk points.
Title: Re: Logged in after sign up?
Post by: Jade Elizabeth on August 09, 2014, 10:16:29 PM
Let's say it does update the cookie after sign up, would that be simple to do?
Title: Re: Logged in after sign up?
Post by: Arantor on August 10, 2014, 08:14:44 AM
Let's say there's a reason it deliberately doesn't do that.