I am using the email address as a username and am allowing users to change their email... which obviously also changes their login. Is there any reason why allowing this flexibility would be a problem? users are tracked with userid.
thanks
+3
A:
I would recommend keeping track of both old and new e-mails and allow them to login with either. FogBugz has a username field as well as e-mail with support for multiple e-mail addresses and users can login with any e-mail address or their chosen username.
Don't make things harder for the user when it's easy to program around.
Sam
2010-01-25 17:22:33
keeping bad email addresses is a bad idea, what if someone else gets that email address, huge security hole.
fuzzy lollipop
2010-01-25 17:26:49
You could add functionality for removing email adresses as well, then it's the user's responsibility.
Niels Bom
2010-01-25 17:38:18
+1
A:
If your system contacts the user with information regarding his/her account via e-mail, I think allowing the user to change his/her e-mail should be allowed.
Anthony Forloney
2010-01-25 17:23:47
A:
When you say users are tracked with userid, does userid mean email address? What you might try is generating a user id # for each user and use that to track users instead of email addresses. You can still use email addresses as your login mechanism and all that, but using a number behind the scenes would allow users to change email addresses.
echo
2010-01-25 17:25:36
The OP didn't state what system they're using, but if it's the ASP.NET security provider (or similar) there is a separate user "key" (a GUID) that is used internally to identify the user, completely independent of their username or e-mail address.
GalacticCowboy
2010-01-25 17:27:23
A:
If Sam's suggestion doesn't work for you, you could at least notify them of this either on the web page or by e-mail. (or both)
GalacticCowboy
2010-01-25 17:25:46
+2
A:
I recommend you to use an id number as primary key of the table and you can use whatever you want as username, for instance the email. The user will only see his username but not the id. Then the user will be able to change his username (email) but the primary key will be the same and will not be any problem with foreign keys to other tables.
Javi
2010-01-25 17:27:40
A:
Since you have a userid, you should allow this. I maintain a website where the email is a login for the registered users but sometimes users may deactivate/change their email for whatever reason and then they update their email. You don't want to lose your users by restricting this.
Mimi
2010-01-25 17:28:12
+1
A:
Just about every site I've seen that uses an e-mail address as the login allow users to change their e-mail address and thus, their login names.
In terms of public identity, most services allow you to create a screen name or handle for your account, so while you may log in with your e-mail "[email protected]", you'll still be known as "Bob" regardless of whether or not you change your e-mail/login.
It's also a good idea not to show people's e-mail addresses unless they explicitly allow it.
Paperjam
2010-01-25 17:36:12
this is how i have it set up. my concern is that i can pass my account to someone else and that new person inherits the prior persons history but can change the email AND the display name, and be a complete fraud.
zsharp
2010-01-25 17:41:59
+1
A:
The capability of changing the mail address is essential, otherwise a user might lose all his data on your site because he might no longer be able to access it (password recovery wouldn't work anymore).
Just make sure the new e-mail address is verified and keep the old one (and only that one) active until the verification is performed!
I don't exactly understand what you mean with
my concern is that i can pass my account to someone else and that new person inherits the prior persons history but can change the email AND the display name, and be a complete fraud
Should somebody pass his account so someone else, your outta luck. Even if you required short message pin / cellphone authentication, you'd still have to give the user the option to also change his cell number.
Snail mail and real names (i.e., the banking approach) are an option, but that is slow and quite expensive.
mnemosyn
2010-01-25 22:38:47
"until email is verified"... even if the email has not been verified by link, he can still login with it provided the username changed successfully
zsharp
2010-01-26 02:04:49
I am not sure I understand this correctly. Let's say I am logged in as user id 1, address '[email protected]'. Now, I want to change my mail address to '[email protected]'. You store this verification link in your database, along with the user id 1. Upon verification of the mail address -and no earlier- you change the mail address and thus also the username in the database. If your auth cookie was bound to the e-mail address, the user needs to login anew, if it is bound to the id that is not necessary (from your original question I think its the former).
mnemosyn
2010-01-26 08:51:30