Which method for email change activation?

I would like to offer my members the option of changing their email adresses. However, I feel paranoid that allowing them to change the email adress on the fly during a session is dangerous security-wise.

So, I am thinking of sending activation emails to their new adresses and upon activation allow them to change their emails.

There are a couple of ways to accomplish this.

I can send their new adress a randomly generated activation code and ask them to enter it.
I can send them a link that changes the email directly.

What is the best and secure way? Any ideas?

i would send a link that contains a hash that expires after 30mins/24hrs/whatever which brings them to a location to let them edit their email address.

However, I feel paranoid that allowing them to change the email adress on the fly during a session is dangerous security-wise.

I don't see why it should effect it unless you are using the email as a login and session variable.

You should always have the user working from a primary key id.

Sorry, forgot to mention. I AM using the email adress as a login name and as a session variable (although not that necessarily).

Again, you shoud change that so the any user actions are using the Primary Key e.g. user_id

All other variables are then dispensable.

Does this mean that each site that is using email as login name is insecure? There are lots of sites out there, who use this feature.

It's ok to use it as a login, but any user actions should be refereced by a user id or session variable.