The Perfect Login

Aaah, login….. the moment when your site visitors create that special intimate connection with you. Such a simple action, yet so simple to mess up.

Drupal contributors have provided a plethora of modules that adjust and optimize the process. A jaunt through Dripals’s module repository, even the User access/authentication sectiontends to overwhelm one with the richnes of options, so here are my pickings:

Email Registration - use email address to log in and to create user ID. Perfect if you are dealing with people incapable of picking a user ID, like the elderly, or simply not allowed to, like the corporate employees.
not to be confused with

Email Verification - this module attempts to verify if the user has mistyped the email address during registration. The techniques, while quite ingenious, are similar to the ones used by spammers to discover email addresses. In fact, it is possible for a spammer to use your site with Email Verification installed just for that purpose. While the modules offers a valid solution for a real problem, you are probably better off delaying its deployment till the problem manifests itself strongly enough for you to analyze the full security implications of the solution.

Alternate Login - what if you want people to log in not with their username, not with their email, but with something else? (Why? - Because they asked you to!) Well, this is the way. Please note: the userid is still valid and can be used to log in as well. Oh, and you can have only one extra alternate login, although if you are desperate enough you can always hack the module.

Many Happy Returns

If your visitors go though a complex series of actions that are stored within their sessions (like a quiz), Session Restore would preserve the session data between user logins. Before you install it, you should understand what this module actually does: it will not take you to the last visited URL within the site, it just preserves the data.

Persistent Login module makes sure that if you logged-in user closes the browser or just walkaway till the session expires, next time she is back (via the same computer), she is logged in automatically. So, once you are logged in, you stay logged in till you logged out. It’s the good old “remember me” feature, but implemented smartly. The module is well designed and gives you a solid set of configuration options. Most importantly, it is under active development, and there is already a 6.x version for the adventurous ones.

Invitations

Site Pass - A Site Pass is a 6 digit code (like “G5FRD7″) which is valid for 24hours, one time only, from a computer at the IP address that requested it. After 3 failed login attempts from an IP address, all unused Site Passes for that IP address will be deleted. Perfect as a teaser for a potential partner, customer, or an investor.

Temporary Invitation is effectively a more sophisticated version of Site Pass. The module allows the inviter to specify the duration of invite validity (once it expires, the invitee looses access to the site: the account is either deleted or blocked - your choice). I am impressed by the modular structure of this contribution: the API has been moved into a separate module, so that you can roll your own UI if you need to, and the module itself integrates nicely with Token and Workflow-ng. This is how software should be written!

If invitations are an essential on-going feature of your site, go with Invite module. It has a comprehensive, well thought through feature set, is under constant developmen, and works well with a number of other modules like Userpoints, BuddyList, Userpoints, Contact List Importer and Request Invitations. You can limit the number of invitations given to a user, and even bestow the power to revoke memberships from the people yur users invited, thus building a sort of “power pyramid”.

Covering Your Ass

There is already a built-in disclaimer (”User Registration Guidelines”) form in Drupal. Check it out at admin/user/settings If that is not enough - proceed to the following modules.

Legal module manages your Terms and Conditions, even makes the user re-sign them every time they change (offers multiple checkboxes and explanation of changes as well). Minor irritations: when accessed directly the legal page not onlyshows all the same checkboxes, but also displays a double header (not configurable by the user)), so some minor hacking will be required if you are a perfectionist.

Dot_disclaimer module offers separate disclaimers for registration, posting content and submitting comments. The disclaimers are created as your typical pages, and so you can use revisions to please your lawyers. The only real problem is that it does not seem to keep track of who has signed the disclaimer and who has not: it shows them (and requires a signature) every time. - this is more than I want to expose my users to.

I wish these two modules were merged - the resulting feature set would be most excellent.

Sessions and Security

Autologout - if you are storing potentially sensitive data and do not trust the users to log out, or just want to impress them with you security prudence, this module will give you the freedom to take care of that (and with great many necessary options too). - I have not used this module in a production environment yet.

If you are really getting serious about projecting a secure image, use Session Limit - it will force the users to log out of one browser before logging in via another (or at a different location). So assuming that the session limit is 1, if a user is logged in to a Drupal site from their work computer and they log in from their home computer, they would be forced to either log off the work computer session, or log off their current session.