PHP Developers Network

I am thinking on how to implement a email change function in light of the worst case scenario and how to revert it if it was malicious.

In light of people choosing the easiest possible password that I let them choose, I have to deal with a hacked account or a collegue using the logged in account to change the email just for fun.

If I change a customers email, I have to deal with the possibility that I am handing over his account to someone else.

My approach is the following:

- I ask for the password again when the Email is changed
- I create 2 Emails one to the old address one to the new. Both inlcude a different hash. The one to the new is obvious as it is used for validation. The one to the old includes 2 Links, one to finalize the change and one to deny the change in case of a malicious change request.

I change the emailadress on validation but I keep the possibility to reverse it if the user e.g. comes back from vacation and notices the problem.

Is this enough precaution or do I need more? I might be totally paranoid about this but I can think of a couple of scenarios where I might think that an automated email change system might be completely a bad idea ...

To ask the password for changing the email address is a good idea; a correct combination of both doesn't always indicate the owner of the account. I'm not so sure about sending a validation email to the new address; it feels to me like a bit of overkill;

If the correct password is provided; for both login and the request to update information, you can only assume the user is the valid owner of the account. A user also has an obligation to keep sensitive information secure.


You should force a format for the passwords here (if you don't already); at least 8 characters in length and those characters be a mix of alpha numeric characters and non-word characters; generate passwords if you must.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering

The validation email to the new account is just to make sure the email is correct, as my application requires a valid email so I can contact the user.

My problem was that I used the email adress as username as well but I changed this so most of the problems I had with changing the mail are gone now

It seems to me like that's the user's problem, not yours. However, there is a security problem with not confirming it. A malicious user could conceivably create an account under an email, change it to a non-existant email, and then register again with the first email. Using this method the person could create as many accounts as they like with only one valid email address. A good way to circumvent that would be to put a hold on the email for say, 36 hours, before allowing any particular email to be re-registered.

Overall, I don't think you need to be too worried about it, most sites are pretty lax in dealing with changing emails, I find, and there's not too much trouble.