Sign in after registration
The session
action is used to sign in the user after they successfully registered. If the option to verify the email address
before allowing users to sign in is enabled, the session
action can be used one time to bypass this requirement.
For example, after the user successfully registers, you can use the session
action to sign them in immediately, bypassing the
requirement to verify their email address first. This allows the user to start using the application right away, without having to
wait for account verification. The user still has to verify their account before they sign in the next time after they registered.
The session
action provides a convenient way to sign in users and control the flow of events in your application.
Ory automatically activates the session
action when a user signs up using a social sign-in provider.
Toggle action
This action modifies the HTTP response. As a result, no other hooks can be executed after the session
action. If you want to
trigger multiple actions that modify the HTTP response in your setup, make sure that session
is triggered last.
Follow these steps to toggle this action on or off:
- Ory Console
- Ory CLI
- Go to Authentication → Registration in the Ory Console.
- Toggle Enable sign in after registration.
- Click Save.
Run this command:
ory patch identity-config --project <project-id> --workspace <workspace-id> \
--add '/selfservice/flows/registration/after/hooks/0/hook="session"'
Web browser registration
The hook sends a Set-Cookie
HTTP header which contains the session cookie. The user is signed in immediately.
Using this job as part of your post-registration workflow makes your system vulnerable to Account Enumeration Attacks because a threat agent can distinguish between existing and non-existing accounts by checking if Set-Cookie was sent as part of the registration response.
Native App registration
When the registration is performed through an API client (such as a mobile app), the hook creates a session and returns the
session token and the session itself in the response body as application/json
:
{
"session": {
"id": "..."
// ...
},
"session_token": "...",
"identity": {
"id": "..."
// ...
}
}