I have been thinking about keeping registering and ‘logging in’ to a minimum on websites. We all hate registering with websites unless absolutely necessary, right? I am building an online store for music downloads. If the user does an 'add to cart', it would be nice if they did not have to register or login, but only provide their email address. Admin could provide a provisional login. One would decorate relevant functions with @auth.requires.provisional.login.
The provisional login would only ask the users for their email address (and explain this is just to use as a unique identifier for them). Auth.user.id would work correctly if they had previously registered. If they had not previously registered, a record would be added to db.auth_user, giving a new auth.user.id. The user could remain at this provisional login stage whilst viewing the cart and doing various other activities. The user need only register after they click ‘pay now’. If they have previously registered then they need not login even at the ‘pay now’ stage. Only when they go to view their paid for downloads should they need to login. I am a big fan of websites being as friendly as possible and as unofficious as they can be. I had original thought that the provisional auth_user records would be deleted after 24 hours, but I think it is actually better if they remain in the database, then users can come back and access their cart at a later date. What do other people think of this idea. It does not seem to reduce security. Peter
