How to deal with user email change

Question

I'm adding an option for my users to change their email, and I'm thinking what is the best way of doing it in a safe and fool-proof manner.. so far I have the following options

1) When user changes the email, system stores in a temporary column in the database and sends an email to the new one, requiring the user to click the link to confirm it and only then, change it (I would need 2 extra fields on my DB - temp_email and email_token)

2) When user changes the email, system would gather data from AccountID and New Email, encrypt it and send it to the new email.. when the user clicks the link, system decrypts it and changes accordingly.

I really like the second option, since it does not require saving extra fields on the database.. so my question is.. which one is a better solution? Or perhaps a third one..

Side note: it is worth asking for the password when the change is requested, in case the user stayed logged in somewhere. — rybo111, Aug 29 '15 at 13:54
@rybo111 You could certainly do that. I believe Twitter does. — timgavin, Aug 29 '15 at 14:04
@rybo111 the problem is.. what if the user has logged in with facebook, and has no password ? — sigmaxf, Aug 29 '15 at 14:06

timgavin · Accepted Answer · 2015-08-31T12:30:06.760

3

I have two fields in my users table: recovery_hash and recovery_time that are updated when a user changes something. I put in a random hash and the current time.

I then send an email to that person (in your case, to their new address), and in the link is the hash (http://foobar.com/verify/randomHashG03sHere). The user clicks the link and it goes to a verify script on the server - which validates the hash and then checks to see if the current time is within an hour of the recovery_time. If both checks validate, I make the change, which, in your case would be updating the users email field with their new email address - which you could store in a separate table, or even in the same users table as a new_email field.

Since you're anticipating the user wanting to change things, you could just store the new email address in a separate table, such as users_temp.email and then update the users table with that new value after it's been validated.

edited Aug 31 '15 at 12:30

answered Aug 29 '15 at 14:00

timgavin

4,972
4
36
48

Thanks for sharing. I like the idea of using a generic recovery token system. I was using a password_recovery_token and was dreading the idea of building out a separate email change token, I think I'll just generalize it to recovery_token and send different emails based on the desired action. I don't like the idea of a temp table just for the new email so maybe I"ll just include the new email in the url that goes out and have it save when the user clicks the link. – Emeka Apr 15 '16 at 14:57
I don't think it's a good idea to put the user's email address in the url. I did that on a project years ago and it caused problems for some addresses that contained special characters, such as `+`. Read these answers before you decide: http://stackoverflow.com/questions/20400250/email-addresses-inside-url – timgavin Apr 15 '16 at 16:08

score 1 · Answer 2 · answered Aug 29 '15 at 13:51

1

You could just create another table to deal with temporary e-mail addresses (e-mail + AccountID + token + timestamp (possibly)).

answered Aug 29 '15 at 13:51

NoroSlivka

29
4

score 0 · Answer 3 · answered Aug 29 '15 at 13:49

I would highly avoid option 2. Keep all your data local on your server! In case someone breaks your encryption he can mess up your entire database or webservice. Especially credentials or email-addresses should never be outsourced. Option 1 is much more recommended, though the data could also be stored in a different manner.

How to deal with user email change

3 Answers3