Why is user not logged in immediately after validating HMAC registration?

[petterreinholdtsen]

Hi. Why is it that the one-step registration can automatically log in the user after registration, while the HMAC based two-step registration do not log the user in after the second step?

[ubernostrum]

For a couple reasons:

1. The standard Django login flow is to call authenticate() and then login(), in order to ensure the correct authentication backend is recorded. But that requires knowing the user's password, which we don't have in plaintext during the activation step (we only have it during the registration step). You could manually hack around this, but it's not wise to deviate from the standard flow.
2. (more important) The one-step process does everything in one go, as the name implies. The activation process has an intermediate step involving an email. Someone who intercepts that email, or who mistakenly receives it, should not be automatically logged in upon clicking the activation link; requiring a manual login after activation ensures that even if you manage to get someone else's activation key, you don't automatically get into their account (you could still exploit password reset if it's available, but at least it's a little bit harder).