Do I need to auto-login after account activation?

Question

This is the standard scenario:

1. User registers on the site
2. User receives an account activation email, clicks link to activate
3. Web site notifies the user that account is activated

Now there are at least two pathways:

1. User is taken to the login screen and asked to enter login details
2. User is automatically logged in and taken to a welcome/profile/etc page

While there are obvious benefits in (2) as far as the user's experience is concerned, there could be drawbacks as well. Option (1) offers improved security at cost of UX.

Which of the scenarios is preferable and why? Any serious flaws in any of them?

Answer 1

While I prefer the 'activate your account' method, there are arguments for automatically logging a user in.

For instance, if its a commerce website, you'd want the user to not be inhibited from buying items when the moment strikes them. If they have to wait for an email before making their first purchase, you could lose a customer. We run some stores that require having a user account first because of the nature of the store, and it actually increased sales (albeit slightly) when autologin was enabled from the registration function.

Answer 2

If your user does not enter sensitive data during the registration process, logging them in instantly would make your application more convenient. Also consider that if your application offers a functionality to recover accounts of users who have lost their passwords by sending an reactivation/password e-mail (and I'm pretty sure it does), you already assume the user is able to keep their e-mails away from snoopy folks, so why not log them in after activating?