Skip to main content

Sign in after registration

The session action is used to sign in the user after they successfully registered. If the option to verify the email address before allowing users to sign in is enabled, the session action can be used one time to bypass this requirement.

For example, after the user successfully registers, you can use the session action to sign them in immediately, bypassing the requirement to verify their email address first. This allows the user to start using the application right away, without having to wait for account verification. The user still has to verify their account before they sign in the next time after they registered.

The session action provides a convenient way to sign in users and control the flow of events in your application.

note

Ory automatically activates the session action when a user signs up using a social sign-in provider.

Toggle action

info

This action modifies the HTTP response. As a result, no other hooks can be executed after the session action. If you want to trigger multiple actions that modify the HTTP response in your setup, make sure that session is triggered last.

Follow these steps to toggle this action on or off:

  1. Sign in to the Ory Console and select Authentication Settings.
  2. Toggle Sign In After Registration.
  3. Click Save.

Web browser registration

The hook sends a Set-Cookie HTTP header which contains the session cookie. The user is signed in immediately.

danger

Using this job as part of your post-registration workflow makes your system vulnerable to Account Enumeration Attacks because a threat agent can distinguish between existing and non-existing accounts by checking if Set-Cookie was sent as part of the registration response.

Native App registration

When the registration is performed through an API client (such as a mobile app), the hook creates a session and returns the session token and the session itself in the response body as application/json:

{
  "session": {
    "id": "..."
    // ...
  },
  "session_token": "...",
  "identity": {
    "id": "..."
    // ...
  }
}