Product support

Visit this product's website for support.


  • Utility

Front-end user management for October CMS.


This plugin requires the Ajax Framework to be included in your layout/page in order to handle form requests.

Managing users

Users are managed on the Users tab found in the back-end. Each user provides minimal data fields - Name, Surname, Email and Password. The Name can represent either the person's first name or their full name, making the Surname field optional, depending on the complexity of your site.

Below the Email field is an checkbox to block all outgoing mail sent to the user. This is a useful feature for accounts with an email address that is bouncing mail or has reported spam. When checked, no mail will ever be sent to this address, except for the mail template used for resetting the password.

Plugin settings

This plugin creates a Settings menu item, found by navigating to Settings > Users > User settings. This page allows the setting of common features, described in more detail below.


Registration to the site is allowed by default. If you are running a closed site, or need to temporarily disable registration, you may disable this feature by switching Allow user registration to the OFF setting.


Activation is a process of vetting a user who joins the site. By default, users are activated automatically when they register and an activated account is required to sign in.

The Activation mode specifies the activation workflow:

  • Automatic: This mode will automatically activate a user when they first register. This is the same as disabling activation entirely and is the default setting.
  • User: The user can activate their account by responding to a confirmation message sent to their nominated email address.
  • Administrator: The user can only be activated by an administrator via the back-end area.

You can allow users to sign in without activating by switching Sign in requires activation to the OFF setting. This is useful for minimising friction when registering, however with this approach it is often a good idea to disable any "identity sensitive" features until the user has been activated, such as posting content. Alternatively, you could implement a grace period that deletes users (with sufficient warning!) who have not activated within a given period of time.

Users have the ability to resend the activation email by clicking Send the verification email again found in the Account component.

Sign in

By default a User will sign in to the site using their email address as a unique identifier. You may use a unique login name instead by changing the Login attribute value to Username. This will introduce a new field called Username for each user, allowing them to specify their own short name or alias for identification. Both the Email address and Username must be unique to the user.

If a user experiences too many failed sign in attempts, their account will be temporarily suspended for a period of time. This feature is enabled by default and will suspend an account for 15 minutes after 5 failed sign in attempts, for a given IP address. You may disable this feature by switching Throttle attempts to the OFF setting.

As a security precaution, you may restrict users from having sessions across multiple devices at the same time. Enable the Prevent concurrent sessions setting to use this feature. When a user signs in to their account, it will automatically sign out the user for all other sessions.


When a user is first activated -- either by registration, email confirmation or administrator approval -- they are sent a welcome email. To disable the welcome email, select "Do not send a notification" from the Welcome mail template dropdown. The default message template used is rainlab.user::mail.welcome and you can customize this by selecting Mail > Mail Templates from the settings menu.

Extended features

For extra functionality, consider also installing the User Plus+ plugin (RainLab.UserPlus).

Session component

The session component should be added to a layout that has registered users. It has no default markup.

User variable

You can check the logged in user by accessing the {{ user }} Twig variable:

{% if user %}
    <p>Hello {{ user.name }}</p>
{% else %}
    <p>Nobody is logged in</p>
{% endif %}

Signing out

The Session component allows a user to sign out of their session.

<a data-request="onLogout" data-request-data="redirect: '/good-bye'">Sign out</a>

Page restriction

The Session component allows the restriction of a page or layout by allowing only signed in users, only guests or no restriction. This example shows how to restrict a page to users only:

title = "Restricted page"
url = "/users-only"

security = "user"
redirect = "home"

The security property can be user, guest or all. The redirect property refers to a page name to redirect to when access is restricted.

Route restriction

Access to routes can be restricted by applying the AuthMiddleware.

Route::group(['middleware' => 'RainLab\User\Classes\AuthMiddleware'], function () {
    // All routes here will require authentication

Account component

The account component provides a user sign in form, registration form, activation form and update form. To display the form:

title = "Account"
url = "/account/:code?"

redirect = "home"
paramCode = "code"
{% component 'account' %}

If the user is logged out, this will display a sign in and registration form. Otherwise, it will display an update form. The redirect property is the page name to redirect to after the submit process is complete. The paramCode is the URL routing code used for activating the user, only used if the feature is enabled.

Reset Password component

The reset password component allows a user to reset their password if they have forgotten it.

title = "Forgotten your password?"
url = "/forgot-password/:code?"

paramCode = "code"
{% component 'resetPassword' %}

This will display the initial restoration request form and also the password reset form used after the verification email has been received by the user. The paramCode is the URL routing code used for resetting the password.

Using a login name

By default the User plugin will use the email address as the login name. To switch to using a user defined login name, navigate to the backend under System > Users > User Settings and change the Login attribute under the Sign in tab to be Username. Then simply ask for a username upon registration by adding the username field:

<form data-request="onRegister">
    <label>Full Name</label>
    <input name="name" type="text" placeholder="Enter your full name">

    <input name="email" type="email" placeholder="Enter your email">

    <input name="username" placeholder="Pick a login name">

    <input name="password" type="password" placeholder="Choose a password">

    <button type="submit">Register</button>

We can add any other additional fields here too, such as phone, company, etc.

Error handling

Flash messages

This plugin makes use of October's Flash API. In order to display the error messages, you need to place the following snippet in your layout or page.

{% flash %}
    <div class="alert alert-{{ type == 'error' ? 'danger' : type }}">{{ message }}</div>
{% endflash %}

AJAX errors

The User plugin displays AJAX error messages in a simple alert()-box by default. However, this might scare non-technical users. You can change the default behavior of an AJAX error from displaying an alert() message, like this:

    $(window).on('ajaxErrorMessage', function(event, message){

        // This can be any custom JavaScript you want
        alert('Something bad happened, mate, here it is: ' + message);

        // This will stop the default alert() message


Checking if a login name is already taken

Here is a simple example of how you can quickly check if an email address / username is available in your registration forms. First create an AJAX handler to check the login name, here we are using the email address:

public function onCheckEmail()
    return ['isTaken' => Auth::findUserByLogin(post('email')) ? 1 : 0];

For the email input we use the data-request and data-track-input attributes to call the onCheckEmail handler any time the field is updated. The data-request-success attribute will call some jQuery code to toggle the alert box.

<div class="form-group">
    <label>Email address</label>
        data-track-input />

<div id="loginTaken" class="alert alert-danger" style="display: none">
    Sorry, that login name is already taken.

Overriding functionality

Here is how you would override the onSignin() handler to log any error messages. Inside the page code, define this method:

function onSignin()
    try {
        return $this->account->onSignin();
    catch (Exception $ex) {

Here the local handler method will take priority over the account component's event handler. Then we simply inherit the logic by calling the parent handler manually, via the component object ($this-&gt;account).

Auth facade

There is an Auth facade you may use for common tasks, it primarily inherits the October\Rain\Auth\Manager class for functionality.

You may use Auth::register to register an account:

$user = Auth::register([
    'name' => 'Some User',
    'email' => '[email protected]',
    'password' => 'changeme',
    'password_confirmation' => 'changeme',

The second argument can specify if the account should be automatically activated:

// Auto activate this user
$user = Auth::register([...], true);

The Auth::check method is a quick way to check if the user is signed in.

// Returns true if signed in.
$loggedIn = Auth::check();

To return the user model that is signed in, use Auth::getUser instead.

// Returns the signed in user
$user = Auth::getUser();

You may authenticate a user by providing their login and password with Auth::authenticate.

// Authenticate user by credentials
$user = Auth::authenticate([
    'login' => post('login'),
    'password' => post('password')

The second argument is used to store a non-expire cookie for the user.

$user = Auth::authenticate([...], true);

You can also authenticate as a user simply by passing the user model along with Auth::login.

// Sign in as a specific user

The second argument is the same.

// Sign in and remember the user
Auth::login($user, true);

You may look up a user by their login name using the Auth::findUserByLogin method.

$user = Auth::findUserByLogin('[email protected]');

Guest users

Creating a guest user allows the registration process to be deferred. For example, making a purchase without needing to register first. Guest users are not able to sign in and will be added to the user group with the code guest.

Use the Auth::registerGuest method to create a guest user, it will return a user object and can be called multiple times. The unique identifier is the email address, which is a required field.

$user = Auth::registerGuest(['email' => '[email protected]']);

When a user registers with the same email address using the Auth::register method, they will inherit the existing guest user account.

// This will not throw an "Email already taken" error
$user = Auth::register([
    'email' => '[email protected]',
    'password' => 'changeme',
    'password_confirmation' => 'changeme',

Important: If you are using guest accounts, it is important to disable sensitive functionality for user accounts that are not verified, since it may be possible for anyone to inherit a guest account.

You may also convert a guest to a registered user with the convertToRegistered method. This will generate a random password and sends an invitation using the rainlab.user::mail.invite template.


To disable the notification and password reset, pass the first argument as false.



This plugin will fire some global events that can be useful for interacting with other plugins.

  • rainlab.user.beforeAuthenticate: Before the user is attempting to authenticate using the Account component.
  • rainlab.user.login: The user has successfully signed in.
  • rainlab.user.logout: The user has successfully signed out.
  • rainlab.user.deactivate: The user has opted-out of the site by deactivating their account. This should be used to disable any content the user may want removed.
  • rainlab.user.reactivate: The user has reactivated their own account by signing back in. This should revive the users content on the site.

Here is an example of hooking an event:

Event::listen('rainlab.user.deactivate', function($user) {
    // Hide all posts by the user

A common requirement is to adapt another to a legacy authentication system. In the example below, the WordPressLogin::check method would check the user password using an alternative hashing method, and if successful, update to the new one used by October.

Event::listen('rainlab.user.beforeAuthenticate', function($component, $credentials) {
    $login = array_get($credentials, 'login');
    $password = array_get($credentials, 'password');

     * No such user exists
    if (!$user = Auth::findUserByLogin($login)) {

     * The user is logging in with their old WordPress account
     * for the first time. Rehash their password using the new
     * October system.
    if (WordPressLogin::check($user->password, $password)) {
        $user->password = $user->password_confirmation = $password;
  • Found the plugin useful on 21 Jun, 2018

    Maybe it will help some one If you use custom layout:

    1. do not forget to add {% framework extra %} at the end of layout. Otherwise AJAX will not work

    2. add at the (!) top of layout file [account] redirect = "dashboard" paramCode = "code" forceSecure = 0

      Otherwise you will get onRegister and onSignin not found

  • Found the plugin useful on 1 Jun, 2018

    amazing plugin !

  • Found the plugin useful on 29 May, 2018

    Lovely theme with a nice and easy to use page builder. Used this theme for developing a new website for a client. At the same time I was discovering and learning the October Content Management System. While walking this path, I noticed that the support of the theme-developer is excellent ...

  • Found the plugin useful on 12 May, 2018

    This plugin is awesome! Thanks

  • Found the plugin useful on 17 Apr, 2018

    Excellent plugin, it fulfills its function!

  • Found the plugin useful on 14 Mar, 2018

    Future updates to come, this is the foundation for an epic site-wide alert system

  • Found the plugin useful on 8 Feb, 2018

    Guys, it's nice to have so many localizations, but none of the form partials use them. (For example the login partial). I see you had a lot of work with the loc files, but your plugin only use the half of them , because in the templates the text is hardwired. Except this, the plugin is great.

  • Found the plugin useful on 31 Dec, 2017

    it's marvelous.!!!

  • Found the plugin useful on 26 Dec, 2017

    This is the most useful plugin I have ever encountered and I am developer as well!!

  • Found the plugin useful on 14 Dec, 2017

    Hi. I got issue on this plugin. Forgot-password function not working. It seems error like this: Class name is not registered for the component "resetPass". Check the component plugin. Please help me.

  • Found the plugin not useful on 30 Nov, 2017

    Doing exactly as demonstrated in the video tutorials to get this plugin working it just not seems to work. Installing the plugin, adding the user component to a page. After registering the page is refreshed, fields are empty and no user is being created in the backend....what can I possibly be doing wrong while it seems so simple?


  • Found the plugin useful on 28 Nov, 2017

    A huge time saving!

  • Found the plugin useful on 28 Nov, 2017

    perfect and easily extendable

  • Found the plugin useful on 7 Aug, 2017


  • Found the plugin useful on 6 Jun, 2017

    This plugin works well for single contact form or if you have the patience to redo everything if you have multiple forms each page. Though very useful it lacks some of the need functionality that will make it a great plugins like:

    1. Duplicate Forms - So you can only add/remove needed fields
    2. Export Forms - this is a must specially when you need to test your forms locally and exporting them to your production, well you can do this by going directly to database but that forfeits the purpose of having a CMS.
    3. Docs need to be updated and more examples will be helpful (e.g. Date pickers using bootstrap)
    4. Better formatting, though you can get around using bootstrap

    Overall, I'm happy with the plugin

  • Found the plugin useful on 15 Apr, 2017

    Hello, i want to ask, how to check if the user is have role admin? is that {% if user.groups %} ? but that's not work at all.

  • Found the plugin useful on 13 Apr, 2017

    Awesome plugin

  • Found the plugin useful on 11 Apr, 2017

    The user plugin will be required by the vast majority of sites for commenting on content and helping to prevent spamming. Adding the plugin to the base installation gives a massive advantage to sites that require user access. Although it could be more detailed, it is a good framework which can be expanded upon.

  • Found the plugin useful on 23 Mar, 2017

    Very useful and flexible

  • Found the plugin useful on 24 Sep, 2016

    Great plugin.

    For all who are struggeling with the activation url: Check your route!

    url = "/your/route/:code?"
    paramCode = "code"

  • Found the plugin not useful on 22 Jul, 2016

    Too many plugins relying on this one plugin, having to extend everything in the boot section of the Plugin.php, Cannot extend models because of this reliance. ( I was able to override the auth facade, however relations remain unable to be overridden because of the the extending features).

    Its a good plugin, but the fact that every other plugin has a developer being forced to use it really does not work out well. Its a huge barrier that needs to be fixed, mainly issue with extending needs to be fixed.

  • Found the plugin useful on 21 Jul, 2016

    This plugin really good but in register page I am facing ajax error

    "AJAX handler 'onRegister' was not found." How solve this?

  • Found the plugin useful on 17 Jul, 2016

    How should I do when the user login redirect the Previous page not the home or '/'?

  • Found the plugin useful on 27 Jun, 2016

    the activation email link simply goes back to the signup form. But doesn't actually active the account. is this a bug?

  • Found the plugin useful on 22 Jun, 2016

    well... but how to make a login form for validate users

  • Found the plugin useful on 29 May, 2016

    this plugin realy good but how i can add a disconect (logout) button ?

  • Found the plugin useful on 26 May, 2016

    Very good plugin but can someone tell me how to hide the registration form? I have set up the settings to deactivate the registration but it is still being displayed.

    I would like to only display the login form.


  • Found the plugin useful on 14 May, 2016

    As a PHP user for over 15 years and a Laravel advocate for the past 3, I've gotta say I'm really loving OctoberCMS. I had built and maintained my own PHP web framework for years, but when it became to unwieldy to continue to maintain, I searched high and low for something that would replace all the functionality I'd spent so long creating, and October, thus far, has delivered in spades. The User plugin is a basic scaffolding for end user accounts, written cleanly and simply enough that it is easy to extend once you wrap your head around October's coding conventions. I started using October on a project-for-hire, but as soon as I finish that up, I'll be redesigning two of my personal sites using October as well.

  • Found the plugin useful on 26 Apr, 2016

    Very usefull plugin, It would be useful to integrate the captcha directly in this plugin

  • Found the plugin useful on 13 Apr, 2016

    Hey! I've found some issues with this plugin. When I enters the plugin's settings (/backend/system/settings/update/rainlab/user/settings), it throws an exeption: 'Call to undefined method October\Rain\Database\QueryBuilder::listAllTemplates()'. What's wrong? I just install the plugin and that's all, don't even start to use it..

  • Found the plugin useful on 8 Apr, 2016

    very usesul

  • Found the plugin useful on 24 Mar, 2016

    Good plugin

  • Found the plugin useful on 22 Mar, 2016

    Hi, Thanks for this plugin. It's amazing. But I did't find the registration page and user authentication. You can help me please. Thanks you.

  • Found the plugin useful on 10 Feb, 2016

    Great plugin with ACL control.

  • Found the plugin useful on 1 Dec, 2015

    Simple and Fast. Really useful.

  • Found the plugin useful on 3 Nov, 2015

    Like the Plugin

  • Found the plugin useful on 15 Oct, 2015

    Nice, but not enough extendable :)

  • Found the plugin useful on 8 Oct, 2015

    Seems great so far. Haven't really needed to use much of it at the moment so I'll bring my true review back in the next month or so.

  • Found the plugin useful on 21 Sep, 2015

    Very useful. Was the backbone of just about every site I've made with October

  • Found the plugin useful on 29 Jul, 2015

    ioCare, thank you for {% framework %}. It was veru helpful.

  • Found the plugin useful on 20 Jul, 2015

    I'm unable to update user information from the front end. It does work only on the backend

  • Found the plugin useful on 12 Jul, 2015

    good one for basic component (must have)

  • Found the plugin useful on 9 Jul, 2015

    Great plugin! Thanks!

  • Found the plugin useful on 22 Jun, 2015

    thats greatt...

  • Found the plugin useful on 3 Jun, 2015

    Awesome !!! :)

  • Found the plugin useful on 28 May, 2015

    Very good and helping a lot.

  • Found the plugin useful on 26 May, 2015

    Very useful plugin. would use again.

  • Found the plugin useful on 26 May, 2015

    Works as designed, keep up the good work!

  • Found the plugin useful on 3 May, 2015

    {% framework %} is required to be added in layout for this thing to work.for ajax calls. It should have been mentioned in docs in case if some one is designing pages from scratch.

  • Found the plugin useful on 1 Mar, 2015

    I have a doubt, with User::count() i have the number of registered users. but how i can get this:

    • Users connecteds
    • Guest users

  • Found the plugin useful on 15 Jan, 2015

    Excellent plugin!

  • Found the plugin useful on 10 Jan, 2015

    f you desire to login with username instead of email address, then provided username is added to the registration form (in additon to email) and the login form (instead of email) then the documentation suggests it will work. However, registration saves the username as the email address, regardless of what username is specified. The only way I have managed to solve this is to make the following one line addition to the plugin code {Rainlab/User/Models/User}:

        protected $fillable = [
            'username'    // NOTE I HAVE ADDED THIS

    Hope this helps and can be added in future updates.

  • Found the plugin useful on 9 Jan, 2015

    The plugin has good functionality but not very nice error handling/display. I got round this by editing Account.php (which was a last resort as will now need to be careful when plugin is updated)....The areas of changed code are in function onSignin() as below:

            $validation = Validator::make($data, $rules);
            if ($validation->fails()) {
                $flash_message = "";
                $messages = $validation->messages();
                foreach ($messages->all() as $message)
                    if ($flash_message != "")
                        $flash_message = $flash_message . " and ";
                    $flash_message = $flash_message . $message;
                return Redirect::to('account');
             * Authenticate user (MODIFIED for FLASH MESSAGES)
            try {
                $user = Auth::authenticate([
                    'login' => array_get($data, 'login'),
                    'password' => array_get($data, 'password')
                ], true);
            catch (Exception $ex) {
                return Redirect::to('account'); //redirect back to login if errors
             * Redirect to the intended page after successful sign in
            $redirectUrl = $this->pageUrl($this->property('redirect'));
            Flash::error('User authenticated! ' . $user);
            if ($redirectUrl = post('redirect', $redirectUrl))
                return Redirect::intended($redirectUrl);

  • Found the plugin useful on 17 Dec, 2014


  • Found the plugin useful on 17 Dec, 2014

    Hy, Iam a noob and start with OC-CMS. My Question is: where i can class the login / sign form?

  • Found the plugin useful on 14 Oct, 2014

    Super easy, great documentation

  • Found the plugin useful on 15 Sep, 2014

    Very useful plugin. It just lacks nicer error messages, but apart from that I find it really useful and I am very glad I don't have to use drupal or joomla anymore for user-oriented portals.

  • Found the plugin useful on 24 May, 2014

    @Hariadi Hinta / @ OctoDevel

    This issue should now be fixed.


Fixes Auth::register method signature mismatch with core OctoberCMS Auth library

May 22, 2018


Added token fallback process to Account / Reset Password components when parameter is missing.

Nov 26, 2017


Fixes bug where impersonation touches the last seen timestamp.

Nov 21, 2017


Fixes session handling for AJAX requests.

Oct 16, 2017


Fixes security bug in Password Reset component.

Oct 02, 2017


Added support for user impersonation.

Jul 28, 2017


!!! The Notifications tab in User settings has been removed.

Jul 28, 2017


Added force secure protocol property to the account component.

Dec 15, 2016


Allow prevention of concurrent user sessions via the user settings.

Nov 17, 2016


Minor fix to the Auth::register method.

Sep 17, 2016


User notification variables can now be extended.

Sep 08, 2016


Introduced guest user accounts.

Sep 08, 2016


Add invitation mail for new accounts created in the back-end.

Sep 08, 2016


Add date range filter to users list. Introduced a logout event.

Jul 25, 2016


Minor fix to user timestamp attributes.

Jul 06, 2016


Add a dedicated last seen column for users.

Jun 29, 2016


Database maintenance. Updated all timestamp columns to be nullable.

Apr 29, 2016


Added a checkbox for blocking all mail sent to the user.

Apr 28, 2016


Included some descriptive paragraphs in the Reset Password component markup.

Feb 13, 2016


Add bulk action button to user list.

Feb 08, 2016


New feature for checking if a user is recently active/online.

Dec 29, 2015


Users can now deactivate their own accounts.

Dec 11, 2015


Adds a new permission to hide the User settings menu item.

Dec 11, 2015


User list can be filtered by the group they belong to.

Dec 11, 2015


Adds a super user flag to the users table, reserved for future use.

Nov 27, 2015


A raw URL can now be passed as the redirect property in the Account component.

Sep 27, 2015


Users can now be added to groups.

Sep 25, 2015


!!! Profile fields and Locations have been removed.

Sep 25, 2015


Require permissions for settings page too.

Apr 28, 2015


Adds last name column to users table (surname).

Feb 20, 2015


Minor improvements to the code.

Feb 13, 2015


Minor fix to the Account sign in logic.

Oct 31, 2014


Create a dedicated setting for choosing the login mode.

Oct 08, 2014


Users now have an optional login field that defaults to the email field.

Sep 13, 2014


Adds administrator-only activation mode.

Sep 13, 2014


Adds new welcome mail message for users and administrators.

Sep 13, 2014


Updated the Settings page

Jul 27, 2014


Adds default country and state fields to Settings page

Jul 12, 2014


Added Mail Blocker utility so users can block specific mail templates

Jul 05, 2014


Added contact details for users

Jul 03, 2014


Improvements to user-interface for Location manager

Jun 06, 2014


Fixes various bugs

May 28, 2014


Add seed data for countries and states

May 12, 2014


Initialize plugin

Apr 04, 2014

Upgrading To 1.1

The User plugin has been split apart in to smaller more manageable plugins. These fields are no longer provided by the User plugin: company, phone, street_addr, city, zip, country, state. This is a non-destructive upgrade so the columns will remain in the database untouched.

Country and State models have been removed and can be replaced by installing the plugin RainLab.Location. The remaining profiles fields can be replaced by installing the plugin RainLab.UserPlus.

In short, to retain the old functionaliy simply install the following plugins:

  • RainLab.Location
  • RainLab.UserPlus

Upgrading To 1.4

The Notifications tab in User settings has been removed. This feature has been replaced by the Notify plugin. How to replace this feature:

  1. Install the RainLab.Notify plugin
  2. Navigate to Settings > Notification rules
  3. Click New notification rule
  4. Select User > Activated
  5. Click Add action
  6. Select Compose a mail message
  7. Select User email address for the Send to field
  8. Here you may select the Mail template previously defined in the user settings.
  9. Click Save