security - Should email verification be followed by password-based login? Why? -

security - Should email verification be followed by password-based login? Why? -

[edit: considered off-topic here , reposted https://security.stackexchange.com/questions/71657/should-email-verification-be-followed-by-password-based-login-why]

a typical business relationship creation process seems be:

provide email address , set password receive confirmation email link and/or hashed token click link verify and/or come in token on site

however, 1 time read somewhere (and can't find now, why i'm asking) improve process modify step 3 require user login using password provided in step 1. think rationale precaution ensures person verifying email address same person created account.

question: above explanation create sense, , should implement email verification requiring password-based login?

it makes sense me, , @ to the lowest degree doesn't seem harmful -- other making user experience more cumbersome. see many online services not require this, , wonder why.

for example, here's scenario worry about. if person #1 created business relationship specified wrong email address (maliciously or accidentally), , got sent person #2. if person #2 naive, he/she might verify email address clicking link... , forget it. person #1 still login using password. suppose person #1 sorts of bad stuff on account. person #2 responsible?

i think alternative solution might inquire new users first specify email address, confirm hashed token, , inquire them set password. don't see many online services way, either.

here's do:

upon business relationship creation, log user in , there, i.e. user creates account, , straight logged in.

in meantime, display message or (and maybe don't activate user's services) tells user he/she has received email link verify , confirm his/her account.

when user clicks link, asks him log in confirm. if it's same user (which we're hoping be), browser should able locate session cookie, set 2 , 2 together, match session detail(s) identifies/identify user hashed link (that identifies user) , automatically confirm account. ensure security want in shorter procedure.

now, let's @ scenario fear - user gets email wrong, , goes else. begin with, add together "not you? ignore message" sort of note in confirmation emails. now, i'm naive 'someone else', , though never created business relationship on website, decide click link anyway. when that, however, i'm greeted page asks me log in! since don't know password, can't log in, , since can't log in, can't confirm account! simple!

for user misspelt his/her email, add together alternative website allows user alter email address he/she specified.

security login passwords user-accounts