I have a program for a client I’m building and I’ve a system that initially verify their email by sending them a hash and if they send a correct hash they get entered. What I’m wanting to do is have users be able to update their email to a new email address and I’m wondering what is the best way to do it.
What I’ve thought of doing is:
User completes form for email change and a entry goes into the database with new email address and creates a hash (w/ timeout) and sends them a email with the hash to the old email address.
But that leads me to what to do with users that don’t have access to their old email address. Should I have the admin manually update their email address by sending the admin a email by having a ‘cannot access your old email address’ checkbox with a area for the user to add a message for the admin. Then the admin sends a email with a hash for that user.
OR is there some other way I should accomplish this task.
EDIT: I think it might be best to add a ‘whats your favorite __’ question W/ answer into the database for thoes certain cases.
Why would you send the message to the old address?
Obviously you need to keep track of both addresses until the new one is confirmed, but if the user is authenticated, you should just send the change-mail message to the new address.