Lack of interest Changing email should force to verify it on the old email first

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
bebosny

bebosny

Member
Hi there,

So right now you can change your email without any verification. So if someone were to compromise my forum account somehow, they could login and change the email without a hassle. This also means the real user can't recover account access as the forget password function will send the password reset email to the new email.

I think it should be different. I know a large amount of websites that force users to verify their old email first when they change to a different one.

So:
  1. User changes the email of their XF account
  2. An email with a verification link gets sent out to the old email
  3. An email with a verification link gets sent out to the new email
  4. When user clicks the link on both accounts, the account email gets changed
Perhaps make this something optional in the options.

Thanks.
 
Upvote 1
This suggestion has been closed. Votes are no longer accepted.
Websites that implement something like this usually send just a notification email to the old email address, not a verification email.

The problem is if a user no longer has access to their old email for whatever reason (yes, it happens) then to implement what you are suggesting would prevent them from ever changing their email address as they couldn't verify from the old email address.
 
Martok said:
Websites that implement something like this usually send just a notification email to the old email address, not a verification email.

The problem is if a user no longer has access to their old email for whatever reason (yes, it happens) then to implement what you are suggesting would prevent them from ever changing their email address as they couldn't verify from the old email address.
Click to expand...
That's a fair point. I'm going to do some research and see how other CMS's and platforms do this.
 
Perhaps adding a link to the email that currently gets sent out to the old email which allows to cancel the email change. This link would also have a 48 hour expiry time.

Perhaps this more something for a addon as it might seem complicated or unusual for most forums.
 

Similar threads

Steffen
Fixed User state "email_bounce": Cannot confirm email address without changing it
Replies
1
Views
2K
XF Bug Bot
XF Bug Bot
UnioDex
Send Activation Mail to Old Email Address When Changing Email Address
Replies
2
Views
670
UnioDex
UnioDex
A
Changing email confirmation to current email
Replies
1
Views
1K
adaaamb
A
Back
Top Bottom