Some explanations :-)
> If a person uses somebody else's email address to order,
> he will be able to view/use the profile of the person
> which the email belongs to. How do you secure this?
Not really: you have to have actual access to that e-mail postbox to access order: it is a link like www.bluewidgets.tld/orders.php?order_num=234234&secret_key=fsdfsdfsdf inserted into confirmation e-mail that allows access to order, not the e-mail address itself (note "secret_key" parameter, what acts like password).
In this case, you effectively substitute store's account password with your e-mail's account password.
In my experience:
1. Registrations are bad bacause:
- people hate regitrations
- some people just don't understand password management process (if you ask them to create password, they do not understand what you mean; if you create passwords for them automatically, they do not understand what they are for)
2. Registrations are good because:
- your repeat customers like not to enter their contact data again
So, we just have that "remember me" checkbox; if customer feels she is probably will buy from you later, she marks it. Cookie is set to her computer, auto-filling contact details form next time. If "remember me" is cleared off with following order, we stop auto-filling form.
Therefore, you get all the advantages and no drawbacks. Is it not great? :-)
If checkbox is not marked, we try to recognize customer by her e-mail address for our backend purposes.
And, as mentioned above, customer still can access her profile using "silent password" in a link sent in confirmation e-mail.
[edited by: Morgenhund at 12:54 pm (utc) on June 6, 2007]