Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Jan 2006
    Posts
    377
    Thanks
    8
    Thanked 1 Time in 1 Post

    Which method for email change activation?

    I would like to offer my members the option of changing their email adresses. However, I feel paranoid that allowing them to change the email adress on the fly during a session is dangerous security-wise.

    So, I am thinking of sending activation emails to their new adresses and upon activation allow them to change their emails.

    There are a couple of ways to accomplish this.

    I can send their new adress a randomly generated activation code and ask them to enter it.
    I can send them a link that changes the email directly.

    What is the best and secure way? Any ideas?

  • #2
    fci
    fci is offline
    Senior Coder
    Join Date
    Aug 2004
    Location
    Twin Cities
    Posts
    1,345
    Thanks
    0
    Thanked 0 Times in 0 Posts
    i would send a link that contains a hash that expires after 30mins/24hrs/whatever which brings them to a location to let them edit their email address.

  • #3
    Senior Coder
    Join Date
    Nov 2002
    Location
    North-East, UK
    Posts
    1,265
    Thanks
    0
    Thanked 0 Times in 0 Posts
    However, I feel paranoid that allowing them to change the email adress on the fly during a session is dangerous security-wise.
    I don't see why it should effect it unless you are using the email as a login and session variable.

    You should always have the user working from a primary key id.

  • #4
    Regular Coder
    Join Date
    Jan 2006
    Posts
    377
    Thanks
    8
    Thanked 1 Time in 1 Post
    Sorry, forgot to mention. I AM using the email adress as a login name and as a session variable (although not that necessarily).

  • #5
    Senior Coder
    Join Date
    Nov 2002
    Location
    North-East, UK
    Posts
    1,265
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Again, you shoud change that so the any user actions are using the Primary Key e.g. user_id

    All other variables are then dispensable.

  • #6
    Regular Coder
    Join Date
    Jan 2006
    Posts
    377
    Thanks
    8
    Thanked 1 Time in 1 Post
    Does this mean that each site that is using email as login name is insecure? There are lots of sites out there, who use this feature.

  • #7
    Senior Coder
    Join Date
    Nov 2002
    Location
    North-East, UK
    Posts
    1,265
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It's ok to use it as a login, but any user actions should be refereced by a user id or session variable.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •