Password Building After Registration

Yii 1.1 General Discussion
1

This weekend I learned a lot of Yii while working on my first application. And I read a lot - and struggled to programm registration and authentication.

I have a table "user" with the fields

  • email

  • username,

  • passwort

  • activation-key

  • active

  1. the user fills out the registration-form

  2. gets an email with a link with activation-key

  3. klicks on the link

  4. field "active" gets TRUE - and the user has sucessfully registered

Now he should build a new password in a form - but I don’t not how to do it securely.

One possibility would be sending him an automatic generated password - though I don’t like this idea for his first password after registration.

Is there an easy secure Yii-way to let the user build his one password?

If the user later forgets his password, he can ask vor an eMail with an automatic password which he should change.

Ah one idea … could I say to Yii after step (4) above, this is an authanticated user though he didn’t login? And then let him build his password for his first login?? When yes, how?

Regards

Jannis

2

I read a lot to try answering my own question. I found auto-login but that didn’t help.

Maybe someone can answer the question above - how can I tell Yii: “this user is authenticated” when in reality he isn’t because he has just registered and does not have a password.

Regards

Jannis

3

Autogenerated first password is ok (but must be changed after the first login). This simplifies the registration process to only one required field: email (that can be used as login).

Actually, the activation link is also redundant :)

Here’s the registration process with one required field:

  1. User submits his email

  2. User record is created and new auto-generated password is sent to that email.

  3. If email is owned by someone else, user just cannot login (he doesn’t have the password). If the email belongs to user, then he can login for the first time, using his email and password from email.

  4. You ask user to fill the rest of his profile (name, new password etc).

Btw here’s what you probably want:

http://www.yiiframework.com/doc/api/1.1/CPasswordHelper

4

Thanx ORey,

your method sounds super easy :slight_smile:

But for legal reasons I want to use the activationkey.

When after the registration someone is coming back with the activationkey than I know who is.

Which Yii-parameter do I have to change or what method must I call to tell Yii … "We know him … send him the SessionID/Cookie"?

I looked through the standard-login-procedure and found:

Yii::app()->user->login($this->_identity, 500000);

… didn’t work. Maybe the wrong method? And I don’t know, from where I can get $this->_identity in a view.

Do you/someone know/s more?

Jannis

5

Usually, the login process goes like this:


$identity=new UserIdentity($username,$password); // authenticate by login and pwd

if ($identity->authenticate()) {

    Yii::app()->user->login($identity);

} else {

    echo $identity->errorMessage;

}

So I think you need to create another (or extend existing) UserIdentity class to allow creating identities based on some other credentials, like activation key.

Here’s more on that:

http://www.yiiframework.com/doc/guide/1.1/en/topics.auth