Home/ Questions/Q 1006597
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T08:29:11+00:00

This is something I’ve wondered about in a couple of frameworks that I’ve messed

  • 0

This is something I’ve wondered about in a couple of frameworks that I’ve messed around with. Assuming I don’t want to automatically log a user in when they register (I want them to activate) how can I make it so a user can’t just visit the “register-success” page? Right now, here’s what I have:

def register(request):
    if request.method == 'POST':
        rf = forms.RegisterForm(request.POST)#register form
        pf = forms.ProfileForm(request.POST)#profile form (additional info)
        lf = forms.LoginForm()#login form is also on this page but is empty when registering
        if rf.is_valid() and pf.is_valid():
            newuser = User(username=rf.cleaned_data['username'],email=rf.cleaned_data['email'])
            newuser.set_password(rf.cleaned_data['password'])
            newuser.save()
            #need to mark newuser as inactive still
            profile = pf.save(commit=False)
            profile.user = newuser
            profile.save()
            return HttpResponseRedirect("/register-success/")
        return render_to_response("authentication/index.html", {'rform': rf, 'pform':pf,'lform':lf})
    return main(request)

def register_success(request):
    return render_to_response("authentication/register-success.html")

My url-conf:

(r'^register-success/$','register_success'),

The other way I thought to do it was to just render_to_response(“authentication/register-success.html”) and not do the redirect. The benefit is, no one can access the register-success.html page, the downside is if the user refreshes the page it will try and resubmit the POST. What’s the best practice?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would stick with the redirect, getting duplicate users is a fairly large risk. What is the risk of someone seeing your register success page who hasn’t registered? If there is a risk, you could always generate a random token, put it in session and pass it to your register-success page and then in your view check that the token matches. But that seems like a lot of work for what typical success pages are.

    My recommendation would be to not worry about people being able to get to that page without registering. If it is just static HTML, there can’t be any risk with showing to to everybody, right?

    • 0