Lazy Registration on the Web: Best Practices - lazy-registration

I first encountered the concept of lazy registration the Ajax Patterns site, where they define it as accumulating "bits of information about the user as they interact, with formal registration occurring later on." I'm looking at doing something similar for my website, but I'd like to know a little bit more about best practices before I start implementing it. My site is about web development, but general best practices are great too. How have you implemented lazy registration on your sites or projects? Where have you seen it in the wild? What do you like or dislike about it?

Have a look at this vid, a very good overview of the lazy registration pattern:
http://www.90percentofeverything.com/2009/03/16/signup-forms-must-die-heres-how-we-killed-ours/

I say this not as a person who has designed such a site before, but as a person that might visit that site. :)
With that said, the thing that I would be the most concerned about is knowing what kind of information is being collected about me. And I think that there should be an option to opt out of collecting the information and instead entering it all during formal registration.
But other than that, if it makes registering for a website easier, I'd be all for it. I leave 9 out of 10 sites that require me to register to do stuff.

One way that I was thinking about implementing this is when users leave blog comments. A common Wordpress format is to allow site visitors to comment as long as they leave a name and an email address. If I followed a similar pattern and then after they submit their comment, ask them if they would also like to register by having username and password inputs right there, with their email pre-filled in the email address input. There would also be a message saying that if they choose not to register at that time, their email address won't be saved (other than in association with the blog comment). If you think of something to add to this, leave a comment.

Use OpenID.
I hate it when I have to enter the same data over and over again, and to think of new passwords because you (read: the website) likely store them as plaintext.
Oh, and please don't require me to give you a fake email.

Like this way www.soup.io/signup or the email way www.posterous.com or www.tripit.com

Related

Basic Web Development Questions (building a working test site)

I am new to this site and coding. I have self taught myself html and I understand css. I have been putting together a site of mine using my basic knowledge. I have no college experience but this is MY DREAM to put this site together so I have done a lot of research and read books to get started but I have hit a roadblock now. Here is what I have done:
-I have put together all of the front end pages and design using html/css. So, I have all of the pages that would be involved with the site, ready to go. All designed and have the layout how I wish it to be.
I guess I would call it the "skeleton" of the site. Any page that a user would be directed to, I have in a folder.
I have put together a little "demo" for myself to mimic a user experience. For example, I created a login page that "looks" how i want it to be but it doesnt actually store or save any logins.
This is my first question:
What is my next step? I admit it sounds stupd but I am self taught and I really have the ambition to acheive this I just can not figure out where to go from here in order to actually make a functioning site. All I have right now is my html "demo" where basically I have to follow a certain path down my site that mimics what a user would do on the site. I have it now where I click on the "sign up" button on my html form and it basically just redirects to my "new user" page. Then it is the same formula throughout the rest of my demo. I just put my other html pages I have designed into the html to sort of give a "user experience" to the demo. But I REALLY want to be able to have working accounts and saved data.
How do I create/save a user login to my site? DO i need to get a sql database? Is there a free one to use while i build the site? Honestly i really need someone who is willing to help me out with the steps in this journey without me sharing my entire site (i wish to keep it to my self) but.. i understand this is basic web stuff i just am genuinely lost as how to take it to the next level. I have all of the html done and now i need a way to actually make it work. I wish to conversate with someone please about this kink in the chain i am seeming to find myself in please. Thank you so much and I would be grateful. :)
----basically what programming languages do i need to learn, or when looking for someone to hire, what should they be skilled in? any software or sites or databases that i need? please help!!!
HTML and CSS are the languages that make up the front end of a website, like you said. In order for your website to have dynamic content (content specific to a user) and the ability to actually process logins, etc., there needs to be a server involved. A webpage is a text document that is interpreted by a browser. HTML makes up the content and CSS tells the browser how you want it to look. What you are missing, primarily, is server scripts, most commonly, in my experience, PHP. You can also include JavaScript for client-side effects.
Specific to your question about a user login, yes, you will need a database. The process should look something like this.
User visits login page
User enters information into an HTML form
User clicks submit
Form is submitted to a server URL using the 'POST' method
Server validates the form content
Server checks database for username or email (whichever you are using)
If the username/email exists, it compares the passwords
Server sends a response back to the client, either good or bad
Once the user is validated, you can redirect the user to the dashboard or user section.
Please keep in mind this is a very simplistic version of events. There are more in depth steps that need to be taken, for example, your passwords should never be stored in a database as plain text, you should use a one-way encryption (hashing) algorithm to make them unreadable. Then when a password is given to the server it should be hashed and you should compare the hashes. You can also use salts when hashing for more security. The form should use SSL to prevent man in the middle attacks, etc.
Sounds like you are off to a good start, but in order to make it work you have to add the server logic. Self-teaching will get you as far as you are willing to let it. I taught myself how to do web programming, and now I do it as a business. The Internet is a great resource. There are a ton of great tutorials online that will show you how to do everything I just laid out.

Keep track on referrered links

Many sites have this implemented, I don't know how exactly it is called so its hard for me to search for it
you can see links in websites such as facebook,twitter that have urls similar to
www.website.com/some-article?ref=home
so in this case, the back-end will take note that the link was clicked from the home page and keep track of this
my question is - is there a known practice / knowledge on how this needs to be done or do I just need to insert my own ref parameters and keep track of this manually?
is there a gem / library that assists in doing this?
You can do this manually. It's very easy to implement. Most website like facebook and twitter use this to track what their users generally do. This is kind of silent survey that is used to provide better user experience.
It is also used in search engines such as Google to track where the traffic for particular hit comes from. You will know this better if you have a Google blogspot blog.
But, there is no limit to innovation. You can use it in whichever way you want.
In PHP, you can use $_SERVER['HTTP_REFERER"]
session_start();
if ( !isset( $_SESSION["origURL"] ) )
$_SESSION["origURL"] = $_SERVER["HTTP_REFERER"];
Sorry, I don't know ruby. There should be pre-written libraries to help you in this, but I don't know about any. You can create your own library for this. It will provide better control.

Get FirstName, LastName and other from OpenId?

Here the relevant functions from the ASP.NET MVC template.
How do I get some additional attributes of the user such as FirstName etc? I don't mind using DotNetOpenAuth, if there is no other choice, I obviously prefer the in-box version.
I'm unsure what I have to change there to make it work, I don't want to mess it all up.
I think the answer is you can't. The ASP.MVC template makes login easy, but that's pretty much all it is. Just authentication. It provides little or no information about the user other than it's the same user that was here before.
If you want to get additional information for the user, I suggest you handle more of the login yourself. An example of how to do this is in the OpenIdRelyingParty MVC sample that you can download here.

Block spam from "tell a friend" forms

You have to have a form on your website for people to send an email to a friend if they found something interesting. You can force people to be logged in (which is not a good option in my case). You can make time delay (this is not really urgent email, so it can wait for 5 minutes). Do you have this problem? How would you solve it?
Edit: I am mostly interested in stopping manual spam
Do you have a problem with automated scripting of your form, or people genuinely using it too much?
The simple solution to the bot problem is a Captcha, such as ReCaptcha. The user-friendliness is questionable, but it would perhaps solve your problem.
You can also use something different from all those captcha scripts. Let me tell you what I do:
- I create a md5 hash:
$secretWord='TryToHashMe';
$formID='myForm';
$md5Value=md5($secretWord.$formID);
echo '<input type="hidden" name="form-check" value="'.$md5Value.'">';
echo '<input type="hidden" name="bot-check" value="">';
those are 2 very simple ways because: 1) auto bots try to fill all your inputs and 2)the hash is not provided, this mean you have a post request from outside your site. The hashing could be extended with some session or cookie, too.
All the best!
I would recommend a Captcha or if you would like something a bit less intrusive, have a simple math problem(which changes) so you just have something like:
For spam protection: Type what Two Plus Two is here _________
I did this on my personal website and never had a problem(and I had a lot of attempts that failed by spambots)
This service has very good anti-spam measures.
http://www.tellafriendking.com/features.php?showall=1#spam-free
FYI, I am involved with the company, so I'm not entirely unbiased, but we do get a lot of refugees who come to us to end their spam problems with other services or downloaded scripts.
Edit:
If you feel the need to vote down, perhaps you should leave a comment too...
The best solution is to use an all-purpose bot filtering solution. I know this is an old post, but a new botnet was discovered that uses these send to a friend modules to send spam (not a new technique but some interesting new advancements).
According to one security vendor (good tips), “At a minimum, they should include a rate-limiting mechanism that will prevent an IP address from issuing unreasonable numbers of requests over a specific period of time. Other DIY solutions are to have all users fill in CAPTCHAs and to enforce registration as a prerequisite to sending out an email message.”

How can I integrate users' logins from my site into phpBB?

I need some help with what is probably a newbie question in terms of modifying phpBB.
I have a whole system developed in PHP, and I would like to integrate phpBB so that people can navigate into the forums and post seamlessly, without logging in again.
Now, using the phpBB users table as the users table for my system (and having people register in phpBB instead of in my website) is not possible unfortunately (it'd take more work to redo our system than to build our own basic forum).
I'm assuming I can hack my way into making phpBB believe that a certain user ID has logged in, however, that user won't exist in phpBB's users table (which I'm assuming will cause it to error out pretty much everywhere).
All the tutorials and forum posts I could find implied having phpBB as the primary. I couldn't find anything to do it the other way around.
I'm guessing the only possible way to solve this is by having both tables relatively synchronized.
Now, provided that I can have both users table synchronized, what is the best way to integrate both sites, keeping my site's login and users table as the "primary" ones?
Also, is there anything in particular I should keep in mind when creating records in phpBB's users table? Or is it relatively straightforward to figure out? What tables should I be writing to, if there is more than one?
This is an old question so I'm sure you've worked something out by now, but if you need to refactor things in the future, this is entirely possible with authentication plugins in phpBB3:
http://wiki.phpbb.com/Authentication_plugins
I'm working on one now where phpBB is the "secondary" system, and it's going pretty well.
I just worked on this task today, after some investigation implemented an Authentication plugin Here is a good example Getting phpBB to accept Django sessions
I have integrated phpBB with a site before, however I used phpBB's login system/users table as the primary one as you said. Since phpBB is a pretty advanced forum software, it would be a pretty time consuming project to change its user and login system completely.
When I had to use the site's login as the primary one, I used PunBB. It was way simpler to modify PunBB.
If you absolutely have to use your own login as primary, and phpBB, then I agree with you in that the easiest way would be to keep the tables synchronized, and call both the login scripts when somebody logs in.
When you're inserting data into phpBB, the users table is pretty straightforward. Each entry has the basic info for a user, and if you have custom fields for the user profiles, they go into the profile_fields and profile_fields_data tables.
One tricky thing is how phpBB encrypts user passwords. I think you have to use phpBB's function called phpbb_hash($password) to do that. It's declared in the file
phpbb/includes/functions.php
For the phpBB login code, see funciton login_box in file phpbb/includes/functions.php
You can use the below to login into phpBB:
$result=$auth->login($username, $password);
if ($result['status'] == LOGIN_SUCCESS) {
echo "You're logged in";
} else {
echo $user->lang[$result['error_msg']];
}