wiki:EmailChangeNotification

Email Change Notification

If a hacker gains access to an account, they are able to change the email address and make it impossible for the original user of the account to regain control of their account. This design describes a change that will make it more difficult for the email address to be changed by another user.

Database Changes

Add two columns to user:

  • previous_email_addr varchar(254) nullable
  • email_addr_change_time int not null default 0

Process Flow

When a user decides to change their email address, they will proceed to the change email address screen as normal.

If they submit their new email address and password correctly, then a token will be created and sent to the users previous email address with a notice that "Your email address has been changed. If you did not take this action, then please click on the link below reverse this process and change your password." The link will be valid for 7 days.

The system will also set the user.email_addr field to the new email address, rehash the password and put the old email address into the user.previous_email_addr and set the user.email_addr_change_time to php time()time().

When the user clicks on the link then they be sent to a page that verifies the token. If the token is invalid, then the user will be informed that they need to provide a new password and that after submission their password will be updated and the email address will be reverted to the previous email address. If the token is valid (it will be submitted as a hidden field), then user.email_address will be assigned the value from user.previous_email_address and user.email_addr_change_time will be set to 0.

If the user attempts to visit the change email address screen while user.email_addr_change_time is within 7 days, then they will be informed that they can only change their email address once every 7 days.

Last modified 6 years ago Last modified on Apr 24, 2018, 10:53:12 AM