Confirm change of e-mail before updating it in database

ActorMike

ActorMike

Well-known member
Licensed customer
Is there a way to only update an email address after the user has confirmed it? Amazing people are too lazy to unsubscribe, so they are putting in fake email addresses instead. We don't require email confirmation upon registration BTW.
 
Confirm new email from the old email would be a nice feature. If a users account has been breached they couldn't change the email and the owner would still be able to recover the account.
 
madness85 said:
Confirm new email from the old email would be a nice feature. If a users account has been breached they couldn't change the email and the owner would still be able to recover the account.
Click to expand...
I think the new email address must be confirmed before the old email address is removed. What if a user puts in someone else's email address? The way XF currently works, the new email will start receiving messages without authorizing it. Could be a potential problem. Many websites work this way now.
@Mike any thoughts?
 
ActorMike said:
I think the new email address must be confirmed before the old email address is removed. What if a user puts in someone else's email address? The way XF currently works, the new email will start receiving messages without authorizing it. Could be a potential problem. Many websites work this way now.
@Mike any thoughts?
Click to expand...
That doesn't help if the account has been breached, they could just update and confirm the email to their own.

But however it's implemented I totally agree with you that emails should be confirmed and I'm supprised it's not already a feature.
 
madness85 said:
That doesn't help if the account has been breached, they could just update and confirm the email to their own.
Click to expand...
Correct, I never suggested it for anything breach related. It's definitely an outlet that could be leveraged for misuse, and as also noted, for some bizzare reason some users will put in a bogus address rather than simply unsubscribe.

What you suggested is not practical, because many times users no longer have access to the old email account to approve the change.
 
ActorMike said:
Correct, I never suggested it for anything breach related. It's definitely an outlet that could be leveraged for misuse, and as also noted, for some bizzare reason some users will put in a bogus address rather than simply unsubscribe.

What you suggested is not practical, because many times users no longer have access to the old email account to approve the change.
Click to expand...

After changing the email address there will be a highlighted notice on top of every page of the forum:

IMG_20200921_095100.webp

At the same time you're not able to create any new messages that makes your account inactive before confirmation of new email address. People usually will be aware of the wrong email address they've provided and will change it right away.

But.. if the owner of the wrong email address acts quicker than you, he receives the email address confirmation mail and click the confirmation button. Then hit the forgot the password link.. he can actually steal your account by that.

That is actually a problem. So two step verification is needed to protect your account.
 
I'm not totally following this thread, but my forum is asking me to approve a new members change of email address.

Clearly XF is trying to protect me from something. Not sure what.

Neither email (old or new) is on the forum spam list and the geography looks legit. (most of our legit members are from a specify part of the US).
 
You must log in or register to reply here.
Back
Top Bottom