[drupal-devel] [feature] Single step account creation and login

Kobus drupal-devel at drupal.org
Mon Sep 19 08:18:59 UTC 2005

Issue status update for 
Post a follow up: 

 Project:      Drupal
 Version:      cvs
 Component:    user.module
 Category:     feature requests
 Priority:     normal
 Assigned to:  amanuel
 Reported by:  mathias
 Updated by:   Kobus
 Status:       patch (code needs review)

I believe that a one-time url is a good solution, and that it is a MUST
add if you add the "own password" option. If you generate the password,
just add the "log in" button and redirect to the page the user

Mozilla 1.7 has a password security meter built in. If you allow users
to generate their own password, couldn't something like this be
implemented with AJAX (which, of course, is unavailable if degraded?)




Previous comments:

Sat, 03 Jan 2004 23:49:54 +0000 : mathias

Under special circumstances, i would like a new user to be able to
choose their own password and be automatically logged into the site
without needing to check their email. I feel this is necessary for my
ecommerce module, where after anonymous users are ready to "Proceed to
checkout", they need to create an user account to continue.  It is
tedious for the customer if they have to stop, check their email, log
into the site and then resume the checkout process.

I'm game to code this (if this has potential to be part of the core), i
just need some feedback on the best way to tweak user_register.


Sun, 04 Jan 2004 06:18:07 +0000 : moshe weitzman

+1 for this. I don't think you will get much objection to this much
needed usability enhancement.


Thu, 08 Jan 2004 05:48:40 +0000 : mathias

Attachment: http://drupal.org/files/issues/user.module-quick_acount.patch (7.11 KB)

This is a prototype patch to make sure i'm going in the right direction.
 I feel this patch is about 95% complete, the outstanding issue being
page redirection after quick-account creation. 

It introduces and new option under the user admin settings "Public
registrations" called "Visitors can create accounts and sign in
immediately.", allowing visitors to submit their own passwords upon
account creation.  This is important in an ecommerce site where a new
customer wants to the checkout process to be as easy and seamless as


Thu, 08 Jan 2004 10:22:09 +0000 : moshe weitzman

i read through the patch. looks good to me. a few notes

- we should still send a password via email to users who choose their
ow password. with some text tweaking, we should be able to send the
same welcome email to 'generated password' registratants, and 'user
specified password' registrants.
- I think we need a setting for minimum length of a password. the
password textfield should inform users of this requirement.
- you don't actually relinquish control after saying "/* Let the
developer control where the user is redirected. */". i assume this part
isn't finished yet.

nice work.


Thu, 08 Jan 2004 13:46:07 +0000 : flevour

Are there any anti-bot checks around, e.g. randomly generated images
that contain text or numbers to insert in a box?
Congrats for your work :p
// flevour


Thu, 08 Jan 2004 13:54:19 +0000 : Bèr Kessels

I had another idea. that would be to filter all emailadresses (in
content too) into a link to the feedback module.

thus http://www.mysite.org/feedback/mailto/me/mysite.org

the feedback can then print a form that can send the message to
me at mysite.org.

Would this be a good feature or not?



Thu, 08 Jan 2004 13:56:36 +0000 : Bèr Kessels

sorry folks. placed this in the wrong box. Was updating another feature,
and reading this one (to see if it was the same one) i then, by
accident, filled replyed here. :(



Thu, 08 Jan 2004 16:49:56 +0000 : Dries

Showing an image with random generated text that a user is supposed to
copy, makes your website inaccessible for visually impaired: they can't
be read by a screen reader.


Thu, 08 Jan 2004 17:07:02 +0000 : mathias

Responding to Moshe's comments:

- we should still send a password via email to users who choose their
own password. with some text tweaking, we should be able to send the
same welcome email to 'generated password' registratants, and 'user
specified password' registrants.

That is a good point. I'll update the patch.

- I think we need a setting for minimum length of a password. the
password textfield should inform users of this requirement.

Agreed. In my patch i checked to make sure the password was at least
six characters long, but this should be an element that can be tweaked
by the admin. It might be best to make this a global password length
system variable.

 - you don't actually relinquish control after saying "/* Let the
developer control where the user is redirected. */". i assume this part
isn't finished yet.

Yep, that's the part i'm still working on.  Thanks for the critical


Wed, 14 Jan 2004 04:31:06 +0000 : mathias

Attachment: http://drupal.org/files/issues/user_0.module-quick_acount.patch (7.95 KB)

The patch has been updated and is ready for final review, and commit.


Wed, 14 Jan 2004 22:37:53 +0000 : Dries

Not sure.  Wouldn't it make more sense (and result in better/less code)
to let the user *always* choose his password and to introduce a admin
setting to control whether e-mail addresses should be validated by


Sun, 15 Feb 2004 17:02:38 +0000 : moshe weitzman

moving out of patch queue until a cleaner implementation is submitted
... this feature is still quite valuable.


Fri, 05 Nov 2004 19:21:49 +0000 : Nick Nassar

I agree with Dries that it makes a lot of sense to always let the user
choose her password. It's a pain to copy and paste in a randomly
generated password, then change it. Hash link based verification is
much easier.

That's really a seperate issue from an option to disable verification.


Fri, 22 Jul 2005 22:11:42 +0000 : amanuel

Attachment: http://drupal.org/files/issues/user4.6.2.patch (4.25 KB)

Following Dries's suggestion, I have implemented a "Enable Email
Verification" option to user.module. The attached patch does the job.

With this patch the system by default will ask for a password. If Email
Verification is turned on in the settings, the system will send the
password via email.

$edit['destination'] is carried so as to allow the user to return where
they were (shopping cart etc.)

Any comments?



Sat, 23 Jul 2005 05:48:08 +0000 : mathias

I want users to be able to enter their own passwords upon account
creation, but this patch still needs some work.

- The email verification checkbox in user admin settings is confusing.
I'm assuming that it applies to any of the selected registration
options? However when I select that only site admins can create new
user accounts, the accounts I create don't get any emails sent for the
user to verify. 

- When a user signs up and enters his/her own password I think they
should be logged in automatically rather than taken to a screen asking
them to click the login button. 

- User entered passwords aren't validated. We should check to make sure
they're at least six characters and verify the password strength level
to some degree (i.e. same characters, all lowercase letters.)


Fri, 29 Jul 2005 05:09:30 +0000 : Steven

I agree with Dries. Random-generated passwords are hard to use. We
already have optional hash-link functionality on signup, so I think we
should always use it.


Sun, 07 Aug 2005 17:02:45 +0000 : killes at www.drop.org

I actually disagree with Dries and Steven. I let firefox maintain all my
passwords and couldn't care less what my actual pw for any Drupal based
website is. If we let the user provide a password then I at least woudl
want to havd Drupal suggest one for me.


Mon, 19 Sep 2005 00:35:55 +0000 : Uwe Hermann

I agree with killes here. Asking the user to choose a password usually
results in _very_ insecure passwords. Give them random passwords per
default in order to keep most of the accounts secure. If a user then
changes the password to his pet's name, that's his problem...


Mon, 19 Sep 2005 05:51:15 +0000 : robertDouglass

I'd just like to mention that I recently needed a slightly different
modification to the user creation workflow. The site was of the nature
where all of the content was behind a splash screen that required
registration before the visitors could get to it. My client needed his
users to be taken to the content area immediately upon filling out the
registration form and not have to wait for the mail and use their
password etc to log in. I bring this up because there are probably 3-4
more workflows for account creation that we could support, if we wanted
to, the current password creation issue being one of them. I would be
supportive of adding more configuration options because I see that many
sites have different needs. Options to add would include:

1) Should the user receive a generated password or should they get to
choose their own?
2) If the user gets a generated password, it will be mailed; should
they have to wait to log on, or should registering intitiate their
3) If the user chooses his or her own password, there is no way to
confirm that they own the email address they entered. Should they be
sent a 1-time URL confirmation mail and be required to click the link
in order to confirm their mail?

I would be very supportive of letting users create their own password
if they were sent a 1-time URL to confirm their mail.

How much interest is there for adding all of these options?



Mon, 19 Sep 2005 06:35:20 +0000 : Crell

The password should always be emailed to the user.  They will forget
their information otherwise. :-)

I too would like to have the option of email-less account creation.  I
just finished part 1 of a project for a client where we're using Drupal
more as an app framework for an intranet app than as a CMS.  Avoiding
the "now check your email" step was a mandatory requirement of the
system, so I ended up hacking user.module to give all users the same
auto-generated login button that the first user gets.  

For an intranet application (or pseudo-intranet in this case, silly as
it is), that's acceptable.  For a public site, that is begging for
spambots.  Even with CAPTCHAs or similar verification techniques, it
opens the site up to spam.  However, if a site doesn't have
user-generated content but does have a need for registration
(ecommerce, for instance), skipping that email step is also very
important.  An email should still be sent, as I said, but you're going
to lose your customers if they have to go to their email twice (once to
create an account, once to get their receipt).  

Perhaps an admin option to allow users to log in immediately upon
account creation, defaulting to no, with a big message pointing out to
the admin that it's a potential security hole if the "registered users"
role has any content-creation capability at all.  

That would be an entirely different question from letting users enter
their own password.  Given how easy it is to get a new password in
Drupal already, I'd say we should still just auto-generate in all
cases.  They can change it if they want.

More information about the drupal-devel mailing list