Hi all, I'm trying to build a nice authentication flow for a website.
In my opinion, a good flow would be: 0. There are no usernames, emails are used instead, 1. User signs up by just entering their email address, 2. An account is created for them, and a temporary plaintext password, along with a sign-in link is sent by email (only its hash, not the plaintext password is stored in the database), 3. If they log in for the first time, they are prompted to, but not forced to change their password (this is not emailed), 4. If they forget their password, a new temporary password along with a sign-in link are sent to them by email. 5. There should be as few intermediate "success confirmation" pages as possible, instead redirecting to an useful page, and showing a temporary message on there. I would argue that this is as secure as ordinary password reset emails. Emailing users their passwords is insecure if they *themselves* chose the password - because they often re-use it on multiple sites. As long as it is a randomly generated one, it is no different from emailing them password reset links. Do you agree? What would you recommend as the approach to building this with least effort, while keeping the rest of django and django.contrib packages working as expected? I've experimented briefly with django-registration, and it seems that the best approach might be writing a new backend for it. Do you have any other suggestions or packages that I should look at first? Thanks, Mattias -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
