Should user auto-login after registration?
Is it safe to login user automatically after registration?
User fills registration form, some info message is sent to his mailbox, and what then:
- User redirected to login page asking him for credentials;
OR
- User auto-logins as his newly created user?
I feel something not safe enough in auto-login, but can't figure it out!
Answer
If they just filled out the login information and you're not concerned about confirming that the email address is legit, then there shouldn't be a problem just logging them in directly.
However, you open yourself up to people/bots creating bogus accounts (at least ones without legitimate email addresses). If you're concerned about that (not sure it this is a public facing app or intranet, etc) then you should at least verify the email address by sending a link with a guid or some identifier that you can track back. Then you can let them log-in once they are confirmed.
You could also just tie it to their StackExchange/Facebook/OpenID/etc account and not make users fill out yet another form and worry about maintaining all that information.