i am developing an e-commerce website. i only want to allow a customer to log in to their account once their payment has been accepted. i want to do this to avoid people setting up spoof accounts on my database when they have no intention of paying.

i have 2 options regarding the setting up of a username and im not sure which is best. perhaps somebody can tell me.

1. let the user decide a username and password when filling in the form. then i could send them an email when the payment has been accepted re-stating their username and password they have chosen and saying they can now log in.

2. generate a username and password for them automatically. send this out in an email when the payment has been accepted and give them the option to change.

also is it safe for me to email the username and password to them once they have payed or am i opening myself up to problems? if so whats the best way for me to tackle this?

thanks!

first option would be best. just add one more field in db 'active' so then they would pay you just check user as paid and they could login to secret area

hi and thankd for your reply.

i agree option 1 is better. in this scenario i may have to email them when their account is activated in case they have paid by cheque or postal order.

should i consider using their email as a username? is this good practice? thanks.

well - generally an email is a common practise but dependant upon what kind of "ordering" your users are doing it might make more sense just to generate a random "order #" - that way their login would be specific to their order - which sounds like what you want.

also - if they use their email usually more then just they know it - so its just extra securityfor you and them.