i am developing an e-commerce website. i only want to allow a customer to log in to their account once their payment has been accepted. i want to do this to avoid people setting up spoof accounts on my database when they have no intention of paying.

i have 2 options regarding the setting up of a username and im not sure which is best. perhaps somebody can tell me.

1. let the user decide a username and password when filling in the form. then i could send them an email when the payment has been accepted re-stating their username and password they have chosen and saying they can now log in.

2. generate a username and password for them automatically. send this out in an email when the payment has been accepted and give them the option to change.

also is it safe for me to email the username and password to them once they have payed or am i opening myself up to problems? if so whats the best way for me to tackle this?

thanks!

Hi Buddy,

Consider these steps::

Step 1: user registers at your website. You can also Use email address as username and take password or take both username and password.
Step 2: Accept payment
Step 3: On successfull payment, send email with activation link
Step 4: User clicks on the link and it activates the account

Now user will user his email address / username and password to login

This is a simple authentication process and you even dont send password to user. I will also suggest you to add a forgot your password on ur website :)

Lemme know if there is any confusion.

Don't generate a name or pw for them. Users won't like it. They'll want to choose one they can remember.

This is why I suggested having email address...
More of websites do that so that members dont need to remember any username

aditya

thanks for your reply. your suggestion seems like a common sense approach and it makes a lot of sense to me.

i like the idea of using their email address as a username because this is one less thing for my customers to have to worry about when signing up.

however, i can foresee a potential problem with this and may have to consider using a username instead. let me explain. my website accepts payments by cheque and postal order.

what if Joe Spammer comes on and signs up for an account under 'johnsmith@yahoo.com'. he says hes paid by cheque and goes way. (really he's got no intention of paying hes just spamming my database).

later on the real johnsmith@yahoo.com comes along and wants to sign up. yet he is prevented from doing this because my database already has an entry under this email address!

???

I'd just go with a traditional username. Though with the not allowed to log in until payment is recieved issue, I'd just mark their account in the database as locked, until you recieve payment. Then once you have the payment, unlock the account.