diff --git a/app/main/views/user_profile.py b/app/main/views/user_profile.py
index 721affc9d..7849a8133 100644
--- a/app/main/views/user_profile.py
+++ b/app/main/views/user_profile.py
@@ -1,4 +1,5 @@
-from flask import request, render_template, redirect, url_for
+from flask import (
+    request, render_template, redirect, url_for, session)
 from flask.ext.login import current_user
 from app.main import main
 from app.main.dao.users_dao import (verify_password, update_user)
@@ -7,6 +8,11 @@ from app.main.forms import (
     ChangeMobileNumberForm, ConfirmMobileNumberForm, ConfirmPasswordForm
 )
 
+NEW_EMAIL = 'new-email'
+NEW_MOBILE = 'new-mob'
+NEW_EMAIL_PASSWORD_CONFIRMED = 'new-email-password-confirmed'
+NEW_MOBILE_PASSWORD_CONFIRMED = 'new-mob-password-confirmed'
+
 
 @main.route("/user-profile")
 def user_profile():
@@ -36,9 +42,8 @@ def user_profile_email():
     form = ChangeEmailForm(email_address=current_user.email_address)
 
     if form.validate_on_submit():
-        # TODO update session with password confirm
+        session[NEW_EMAIL] = form.email_address.data
         return redirect(url_for('.user_profile_email_authenticate'))
-
     return render_template(
         'views/user-profile/change.html',
         thing='email address',
@@ -54,7 +59,11 @@ def user_profile_email_authenticate():
         return verify_password(current_user, pwd)
     form = ConfirmPasswordForm(_check_password)
 
+    if NEW_EMAIL not in session:
+        return redirect('main.user_profile_email')
+
     if form.validate_on_submit():
+        session[NEW_EMAIL_PASSWORD_CONFIRMED] = True
         return redirect(url_for('.user_profile_email_confirm'))
 
     return render_template(
@@ -68,9 +77,17 @@ def user_profile_email_authenticate():
 @main.route("/user-profile/email/confirm", methods=['GET', 'POST'])
 def user_profile_email_confirm():
 
+    # TODO add verify code support
     form = ConfirmEmailForm()
 
+    if NEW_EMAIL_PASSWORD_CONFIRMED not in session:
+        return redirect('main.user_profile_email_authenticate')
+
     if form.validate_on_submit():
+        del session[NEW_EMAIL]
+        del session[NEW_EMAIL_PASSWORD_CONFIRMED]
+        current_user.email_address = session['new_email']
+        update_user(current_user)
         return redirect(url_for('.user_profile'))
 
     return render_template(
@@ -86,7 +103,7 @@ def user_profile_mobile_number():
     form = ChangeMobileNumberForm(mobile_number=current_user.mobile_number)
 
     if form.validate_on_submit():
-        # update session with this step
+        session[NEW_MOBILE] = form.mobile_number.data
         return redirect(url_for('.user_profile_mobile_number_authenticate'))
 
     return render_template(
@@ -104,8 +121,11 @@ def user_profile_mobile_number_authenticate():
         return verify_password(current_user, pwd)
     form = ConfirmPasswordForm(_check_password)
 
+    if NEW_MOBILE not in session:
+        return redirect(url_for('.user_profile_mobile_number'))
+
     if form.validate_on_submit():
-        # Update mobile number
+        session[NEW_MOBILE_PASSWORD_CONFIRMED] = True
         return redirect(url_for('.user_profile_mobile_number_confirm'))
 
     return render_template(
@@ -122,6 +142,10 @@ def user_profile_mobile_number_confirm():
     form = ConfirmMobileNumberForm()
 
     if form.validate_on_submit():
+        del session[NEW_MOBILE]
+        del session[NEW_MOBILE_PASSWORD_CONFIRMED]
+        current_user.mobile_user
+        update_user(current_user)
         return redirect(url_for('.user_profile'))
 
     return render_template(