Hi there, I believe there should be a setting on verification to sign you in after a successful verification. We have the following configuration: • Require verified address for login - Enabled • Show verification screen after password registration - Enabled • Enable sign in after registration - Disabled ( security reasons we can’t allow this ) After you register you are redirected to the verify account screen, this is correct. But after verifying your account you are then redirected back to login. The same goes when you try and sign-in with an unverified account, you are redirected to the verify your account screen, but then after verifying it takes you back to the login screen to then re-enter the same details you just did. I also tested with wrong details, it won’t redirect you to the verify screen. So on Ory it already knows you entered the correct details, you just need to verify your email. The expected behaviour is that there should be a setting that is the same as the

Enable sign in after registration

but for verification. So after successful verification it will sign you in and redirect to the return_to url. Basically how the sign-in with code works. cc: @broad-eve-11212

Hello @abundant-baker-49319 To get the behaviour you are looking for you need to enable "Sign in after registration". Can you tell me a bit more about the security reasons why you want to disable this setting?

We found that if you enable sign-in after registration, you can navigate away from the verification screen before validating your email and you will still be authenticated. So you can complete signed-in actions with an unverified email.

Hello @magnificent-energy-493 as dylan mentioned. The problem is that after you have registered you receive a valid session cookie but you haven’t validated your email yet. So they can bypass the verification screen and use the system as if they are signed in with the email. This creates a security issue where they can take any email that might be in our system, register with it, but not verify it and see the info of that email. So it isn’t possible to enable the “sign in after registration” with how it currently works. We need the same functionality but after verification. Or if you have the enable “sign in after registration” but the redirect to verification is also enabled, the session cookie should only be presented after you have verified and not before it.