I’ve just installed the advanced template for yii-2 and i’ve noticed that the user login still has the attribute “username”.
Could somebody please explain why is it necessary? For me it seems like useless nowadays because every website provides login with just the user email and password.
I can’t see any useful meaning on forcing users to remember a “username” to login.
Remembering the email is way easier for web users, mainly when the desired username is already taken and the user is forced to get something like "scoobjunior2014" instead of scoobjunior or scoob.junior
Would like to suggest that the example app drops out the “username” attribute and use “email” field to authenticate users, as username is useless in the whole web nowadays (except for Yii forum that still uses it )
By the way, congratulations for the great new framework version!
Maybe, but most users have no clue what OpenID is.
I agree with Junior: bothering users with choosing a username is a bad idea most times. However, I found a useful purpose for the username column in my current project: I encrypt all sensitive columns as VARBINARY columns, including the e-mail address. In order to be able to locate a user during login, I store a salted hash of the email address in the username column. Upon login, I hash the provided e-mail address and look for an identical hash in the User table…
Expose how? In production one would expect the login to be protected by SSL.
The thing with email addresses is that they are unique, so we don’t get some poor soul sitting there getting “This username has already been taken.”. It also cuts down on multiple signups.
I really think things should be the other way around - if you want usernames, then deploy it. The default should be email, keeping in line with most applications in the wild.
Sorry if I’m totally wrong, but I have to disagree about Oauth/OpenId
This type of service is not meant to be used as an alternative to login/password method, but a way to request permission to access users’ resources stored in other providers, without asking the user to type their credentials in the consumer/client
When the user subscribes in the providers, they still login with their credentials (mostly email and password) and what protects their data from being "exposed" is the SSL connection as aforementioned by Backslider
So, unless you are developing an application that has to consume other server’s resources, there is absolutely no need to use Oauth. Also, we know well what big providers have done with our data (did you see the case of NSA, Snowden, spying and so?)…alright, I just prefer to store the user data and make use of a secure connection SSL to authenticate.
To be clear: I’m not saying Oauth is useless, just enforcing it is not meant to be a replacement to user/email/password authentication in small websites
IMO… it depends on the type of application and the user base its catering to. Not discussing security and infra here (that’s a separate discussion).
Couple of use cases:
if its a B2C website where you expect any guest individual to join/participate - you could expect them preferring a social auth for login rather than registering a new account (so such an option would help your website).
if its a B2B website or similar where its restricted to specific business group(s) - and account registration and access process is a special need itself - you may skip social auth.
In addition, I dare say that even in the first case (B2C) we’d better give users the option to register in the website also, because not everyone has a social account (caveman like me , got a Google account though).
As you said, “so such an option would help your website”, that’s the way I see the Oauth in this case, “optional” not replacement at all that makes email/password obsolete as we discussed before.
To make a long story short, we can provide the options and between the options (Oauth and website registration) I personally think that email/password is better than username/password and bringing it as default would be a good advantage, not only because the bigger companies uses this method, but because it is more logic and easy for the user to remember, as @Backslider said:
‘The thing with email addresses is that they are unique, so we don’t get some poor soul sitting there getting “This username has already been taken.”. It also cuts down on multiple signups.’
Yes the reason I mentioned this was - your users dictate this need rather than what the developer prefers.
Agreed. It is preferred. But the reason why - usernames - can still exist is to add privacy/security. Once users have signed in - usernames can be displayed and also used for internal messaging between users, or commenting etc (like this forum)… without revealing the user email in many cases.
About not showing email, absolutely agreed, for this we may just add a name column and display the name instead of the email
Imho, we should not force users to “choose a username”, just give name and email and so choose a password for their convenience, that is why I’m asking the default app be changed
Can I point out that on some websites, you could have the possibility of a couple signing up that both use the same email (rare I admit, but…), so you would have to have a way to differentiate the two, ie username.
p.s. As to the topic title, I set up that they can login with either, but in the login form I leave it as username and all through the process whether username or email is used.
As it can take some time due to my small (almost zero) amount of knowledge on github, if anyone else interested on the topic does it first, please, let us know.
)
