Lack of interest Changing email should force to verify it on the old email first

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
bebosny

bebosny

Member
Hi there,

So right now you can change your email without any verification. So if someone were to compromise my forum account somehow, they could login and change the email without a hassle. This also means the real user can't recover account access as the forget password function will send the password reset email to the new email.

I think it should be different. I know a large amount of websites that force users to verify their old email first when they change to a different one.

So:
  1. User changes the email of their XF account
  2. An email with a verification link gets sent out to the old email
  3. An email with a verification link gets sent out to the new email
  4. When user clicks the link on both accounts, the account email gets changed
Perhaps make this something optional in the options.

Thanks.
 
Upvote 1
This suggestion has been closed. Votes are no longer accepted.
Websites that implement something like this usually send just a notification email to the old email address, not a verification email.

The problem is if a user no longer has access to their old email for whatever reason (yes, it happens) then to implement what you are suggesting would prevent them from ever changing their email address as they couldn't verify from the old email address.
 
Martok said:
Websites that implement something like this usually send just a notification email to the old email address, not a verification email.

The problem is if a user no longer has access to their old email for whatever reason (yes, it happens) then to implement what you are suggesting would prevent them from ever changing their email address as they couldn't verify from the old email address.
Click to expand...
That's a fair point. I'm going to do some research and see how other CMS's and platforms do this.
 
Perhaps adding a link to the email that currently gets sent out to the old email which allows to cancel the email change. This link would also have a 48 hour expiry time.

Perhaps this more something for a addon as it might seem complicated or unusual for most forums.
 

Similar threads

spk100
  • Question Question
XF 2.2 Ask members to verify email
Replies
1
Views
224
Mr Lucky
Mr Lucky
DaveM
  • Question Question
XF 2.2 New Member Cannot See Forum Nodes
Replies
11
Views
412
AndrewSimm
AndrewSimm
Stuart Wright
  • Solved
XF 2.2 Lots (and lots) of bounces for the same user. Why?
2
Replies
32
Views
1K
Alpha1
Alpha1
M
  • Question Question
XF 2.2 Is there an email bounce block list/blacklist/blocklist? Or is the only record the user state change? Can accounts be blocked for bounced emails?
Replies
6
Views
805
MaximilianKohler
M
Ludachris
  • Question Question
XF 2.2 Question about the 2FA process in XF
Replies
1
Views
920
Kirby
K
Top Bottom