From ea91d8c92ec2db10e39799aff876a689f50d4027 Mon Sep 17 00:00:00 2001 From: Marco Date: Tue, 26 Sep 2017 22:20:07 +0200 Subject: [PATCH] Explain that users should be notified about email address changes --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 9aba516..82198b9 100644 --- a/README.md +++ b/README.md @@ -365,6 +365,8 @@ For email verification, you should build an URL with the selector and token and $url = 'https://www.example.com/verify_email?selector='.urlencode($selector).'&token='.urlencode($token); ``` +After the request to change the email address has been made, or even better, after the change has been confirmed by the user, you should send an email to their account’s *previous* email address as an out-of-band notification informing the account owner about this critical change. + ### Re-sending confirmation requests If an earlier confirmation request could not be delivered to the user, or if the user missed that request, or if they just don’t want to wait any longer, you may re-send an earlier request like this: