Should user auto-login after registration?

Question

Is it safe to login user automatically after registration?

User fills registration form, some info message is sent to his mailbox, and what then:

• User redirected to login page asking him for credentials;

OR

• User auto-logins as his newly created user?

I feel something not safe enough in auto-login, but can't figure it out!

Answer 1

If they just filled out the login information and you're not concerned about confirming that the email address is legit, then there shouldn't be a problem just logging them in directly.

However, you open yourself up to people/bots creating bogus accounts (at least ones without legitimate email addresses). If you're concerned about that (not sure it this is a public facing app or intranet, etc) then you should at least verify the email address by sending a link with a guid or some identifier that you can track back. Then you can let them log-in once they are confirmed.

You could also just tie it to their StackExchange/Facebook/OpenID/etc account and not make users fill out yet another form and worry about maintaining all that information.