Password-less users

How to work with users without passwords (e.g., newsletter recipients)

In most cases, your website visitors register themselves as known users because they’d like to access some part of your website with content or data that is otherwise restricted. These users typically would like to be able to access their order history, make favourite lists, etc. For this, they need a username and a password.

But what about the case when users just want to sign up for a newsletter or similar, but don’t want to create an account as such? This article will cover approaches to creating users without a password, and discuss challenges and strategies of maintaining mixed users (with and without passwords) in the same solution.

Let’s quickly establish the gradations between users. First, note that visitors making purchases can (depending on your setup) remain anonymous, even though they submit their personal information. In this setup the information is only kept on the order, and they are not saved as users in the database, unless your setup allows them to create users at the same time.

But in order to receive newsletter email communication from DynamicWeb, you do indeed need to become a user. But you don’t need to have a password, and your email can function as your username.

You can create a new email recipient in this manner using the following paragraph apps:

• Extranet
• Shopping Cart
• Forms for Editors

Swift provides partial support for this use case, so depending on the situation, you will be expected to do some custom template work.

Using the Extranet app

To create a password-less user with the Extranet app, you:

1. Select the ‘Create profile / Manage subscription’ option
2. Create a template without the password fields

If you are using the Swift template set, you might do a save-as of the provided default template and further customize the template. Note that this template is currently written using Template Tags, so you’ll need to understand how to work with these kinds of templates (cf. Template Tags documentation (DynamicWeb 9)). If you do set out to create a form without the user creating a password, you’ll need to add a hidden input field to your form in the template, indicating that the users intent is to allow receiving emails:

<input type="hidden" name='@GetString("UserManagement:User.EmailAllowed.Hidden.InputName")' value="1" />

Moreover, you should ensure that you otherwise finish your setup requiring validation of the user from an email link, as is common practice whether or not the user is created with a password.

When using the extranet app, note also that you have the ability to give the user the option to choose between several ‘User selectable groups’, which you must, however, handle in your own template. Membership of these groups can then form the basis for different email marketing campaigns.

Using the Shopping Cart app

To create a password-less user with the Shopping Cart app, you can setup the app settings under ‘User management’ to create a user during Checkout.

When using Swift, you have two options in the template, either a checkbox to sign up for the newsletter (without setting a password) or to create a user with a password. Note that the checkbox sets ‘Email permission’ checkbox to true on the user, whether or not a password has been set.

But be careful, as you can only designate one set of one or more user groups, which can be problematic if your relying on your user-group structure to distinguish email newsletter recipients from other kinds of users, that may perhaps belong to different groups.

Using the Forms for editors app

To create a password-less user with the Forms for Editors app, you have a similar area under ‘User Management’ of the app settings. In the form itself, you add your fields and using the ‘Values’ option in each field, you match up with the user fields.

Again, you only have the ability to create a user for a single set of one or more groups, so this might be a limitation that requires you to find a different approach.

Obtaining a password

But what if you want to allow a user without a password to be converted to a user with a password?

One option is to ensure your website guides the user to use the ‘forgot password’-function, which will send a link with a token to their email and allow them to create a password. In this case, they’ll remain in the same user group.

Another option is to setup a page with an extranet app where password-less users can "create a user", but use the Update existing users based on email match option on the app, so that so any password-less users will get the password they set on this page added to their current user, plus get associated with any user groups you have setup on the page. This option is also available in the Shopping Cart app.

Changing preferences without a password

A classic question is then how one allows a user without a password to change their preferences, for example setups where you are allowing your users to belong to multiple groups determining what communication they receive. The answer is again the aforementioned ‘Update existing users based on email match’ with an appropriately setup Extranet app paragraph.

But be cautious here, as there is a potential security compromise in creating a setup where user preferences can be changed based on knowledge of a given users mail. Consider setting ‘Approval’ under ‘Create User’ to ‘By user’ with a setup for email confirmation using a template with a confirmation link in the mail.