This weekend I learned a lot of Yii while working on my first application. And I read a lot - and struggled to programm registration and authentication.
I have a table "user" with the fields
email
username,
passwort
activation-key
active
the user fills out the registration-form
gets an email with a link with activation-key
klicks on the link
field "active" gets TRUE - and the user has sucessfully registered
Now he should build a new password in a form - but I don’t not how to do it securely.
One possibility would be sending him an automatic generated password - though I don’t like this idea for his first password after registration.
Is there an easy secure Yii-way to let the user build his one password?
If the user later forgets his password, he can ask vor an eMail with an automatic password which he should change.
Ah one idea … could I say to Yii after step (4) above, this is an authanticated user though he didn’t login? And then let him build his password for his first login?? When yes, how?
I read a lot to try answering my own question. I found auto-login but that didn’t help.
Maybe someone can answer the question above - how can I tell Yii: “this user is authenticated” when in reality he isn’t because he has just registered and does not have a password.
Autogenerated first password is ok (but must be changed after the first login). This simplifies the registration process to only one required field: email (that can be used as login).
Actually, the activation link is also redundant
Here’s the registration process with one required field:
User submits his email
User record is created and new auto-generated password is sent to that email.
If email is owned by someone else, user just cannot login (he doesn’t have the password). If the email belongs to user, then he can login for the first time, using his email and password from email.
You ask user to fill the rest of his profile (name, new password etc).
$identity=new UserIdentity($username,$password); // authenticate by login and pwd
if ($identity->authenticate()) {
Yii::app()->user->login($identity);
} else {
echo $identity->errorMessage;
}
So I think you need to create another (or extend existing) UserIdentity class to allow creating identities based on some other credentials, like activation key.