Customer Registration and Authorization Configuration in 1C-Bitrix
Registration and authorization in Bitrix is a standard feature of the main module. Customers are stored in b_user, sessions in b_user_session (or in file/Redis sessions). The configuration task is to properly set security parameters, registration form, and user return behavior.
Main Module Settings
Settings → Main Module → Authorization:
- "Remember Me" — cookie expiration time (30 days by default). For stores handling personal data — recommend reducing to 7–14 days or disabling
-
Password Policy — minimum length, requirement for digits/special characters. Configure in
Settings → Password Policies -
Authorization Attempts — lockout after N failed attempts (
Settings → Main Module → Security → Attempt Limit) -
CAPTCHA — enabled for registration and authorization forms via
Settings → Main Module → CAPTCHA
Registration Components
Standard components:
-
bitrix:main.register— registration form -
bitrix:main.login— authorization form -
bitrix:main.profile— profile editing
Parameters for main.register component:
-
REGISTRATION_FIELD_*— which fields to display (phone, address, etc.) -
CONFIRM_PASSWORD— require password confirmation -
EMAIL_CONFIRM— require email confirmation (sends confirmation link) -
DEFAULT_GROUP— user group for new customers
Email Confirmation
EMAIL_CONFIRM = Y in component parameters activates two-step registration: user fills the form, receives a confirmation email with a link, clicks it — account is activated. Email template: Settings → Mail → Email Templates → NEW_USER_CONFIRM.
Unconfirmed accounts are users with b_user.CONFIRM_CODE != NULL. They cannot authorize until clicking the link.
Social Authorization
Bitrix supports OAuth authorization via bitrix:socialservices.auth. Supported providers: VKontakte, Google, Facebook (Meta), Yandex, GitHub. Each provider is configured in Settings → Social Services — you need to create an app with the provider and provide App ID and Secret.
Security: What Must Be Configured
-
HTTPS — authorization only over HTTPS. Cookies with
Secureflag set in PHP session settings -
HttpOnly for Cookies — XSS protection. In
/bitrix/php_interface/dbconn.phpor PHP settings:session.cookie_httponly = On -
CSP Headers — configured at web server level or via handler in
init.php - Brute-force Protection — built-in IP lockout after N failed attempts
Timeframe
Basic registration and authorization setup with email confirmation — 4–6 hours. Adding social authorization through 2–3 providers — 1 business day.