...

View Full Version : Which method for email change activation?



guvenck
02-07-2006, 10:35 PM
I would like to offer my members the option of changing their email adresses. However, I feel paranoid that allowing them to change the email adress on the fly during a session is dangerous security-wise.

So, I am thinking of sending activation emails to their new adresses and upon activation allow them to change their emails.

There are a couple of ways to accomplish this.

I can send their new adress a randomly generated activation code and ask them to enter it.
I can send them a link that changes the email directly.

What is the best and secure way? Any ideas?

fci
02-08-2006, 05:25 AM
i would send a link that contains a hash that expires after 30mins/24hrs/whatever which brings them to a location to let them edit their email address.

degsy
02-08-2006, 02:44 PM
However, I feel paranoid that allowing them to change the email adress on the fly during a session is dangerous security-wise.

I don't see why it should effect it unless you are using the email as a login and session variable.

You should always have the user working from a primary key id.

guvenck
02-08-2006, 05:25 PM
Sorry, forgot to mention. I AM using the email adress as a login name and as a session variable (although not that necessarily).

degsy
02-09-2006, 03:45 PM
Again, you shoud change that so the any user actions are using the Primary Key e.g. user_id

All other variables are then dispensable.

guvenck
02-10-2006, 05:23 PM
Does this mean that each site that is using email as login name is insecure? There are lots of sites out there, who use this feature.

degsy
02-13-2006, 03:57 PM
It's ok to use it as a login, but any user actions should be refereced by a user id or session variable.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum