Thank you Zaky Katalan-Ezra and jacmoe for your valuable input. I'd like to think that I'm not reinventing the wheel, but ensuring that it is as round as it gets.
While OpenID is great, it has a couple of issues as i think about it: - It requires a learning curve, you need to know how to use it, even though it's easy once you know it, but may still be an issue for a non- geeky user - it requires a provider, or becoming a provider, either way it's something to consider. A user may not want to use an OpenID and prefer to create a new account on the site. Anyway, that's not the point, and I know I still should implement OpenID as a login option. With your suggestions in mind here's a registration/authentication logic I think for a generic web-app: - OpenID as a login option. If user knows how to use it and is fine using another site as the account provider, then return true; and further doesn't matter (mostly). - Transparent registration. User enters his email (everyone has email, zero learning curve), checks his inbox, logs in with authorizing link, at this time his email gets validated in the user database and he can use the site and edit his user account. - - He is also provided an option to create password and be able to login with it next time. If not, he'll still be able to authorize by email. This option might as well be provided in the very beginning, with the email address, to make it look more traditional, but still keep it optional. - - He is provided an option to associate his other emails with the account, so whichever email he uses to login next time, he is recognized as the same person. - (optionally, if web-app doesn't require a valid email and developer is worried about users who may not want to provide it) Allow user to register account with username and password only. What I have hopefully solved, is how easy and straightforward user gets logged in the first time he comes to the site. He may want to just try my app out and forget about it. He may come across my app a year later and won't have to remember or restore his password. As I look around most of web-apps today require registration with login/email and password and require validating of email, which is something I wanted to optimize. Please, give me your feedback. Also if anyone came across similar discussions, I would appreciate links. Thank you. Yura On Mar 12, 7:53 am, jacmoe <[email protected]> wrote: > Are you sure you are not reinventing wheels? > Why not use OpenID, or similar? > > There's a OpenID component for Cakephp here:http://code.42dh.com/openid/ > > It is supposed to be pretty secure, and you get what you want: no > registering, no need to remember any password (but one), etc. > > If I were you, I'd go for that. ;) > > On Mar 11, 5:15 am, Yura Linnyk <[email protected]> wrote: > > > Hello fellow bakers, > > > I've just baked a simple web-app,http://WhenDidYouLast.com, where I > > implemented a proof of concept I had been thinking for a while - a > > passwordless seamless registration, where you don't have to register > > and don't have to remember you password, just enter your email, check > > your inbox for authorizing link and voila, you are logged in. > > > Now I'd like to ask an advise of the community. Do you see any > > security pitfalls in the idea? Is it not convenient? or lame in any > > way? :) Personally when I get registered at a next web-app I catch > > myself thinking about why wouldn't they let me in this simple way and > > not make me think of a password, save it somewhere etc. and just have > > me visit my inbox. Unless it is my bank's account, of couse, or a > > larger scale app. And most of web-apps allow me to reset my password > > with my email anyway. A couple of websites I am registered at, send me > > auto-login link when i get a new PM, but still require me to remember > > password if I'm just visiting. > > > So as far as we're talking about a web-app where I don't need any > > personal information about you as a user, recognizing and authorizing > > by email looks like something worth going with. Though I can imagine a > > user concerned about not sharing his email who would choose to > > register an account with login and password if it allows him to skip > > entering email. > > What do you think? > > > The app is baked with Cake 1.3 rc1, Authsome (aptly named, so to > > speak!) and Blueprint. Quite simple, I'll be adding some features > > later :) Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
