Jump to content

Recommended Posts

My application has 3 user types. Admin , User and Super Admin. Users can register as either Admin or User. Each user type has different UI and functionality.

The problem:

If a particular type of user reports a problem/bug in his/her login, it is difficult to pin point to the exact problem. So if I could able to login as that user, then it will be very easy to point out the bug/problem.

 

So I'm looking for some kind of master password. Using any username and the master password I should be able to login AS that user.

 

Any suggestions..?

Link to comment
https://forums.phpfreaks.com/topic/256327-master-password-for-application/
Share on other sites

You could theoretically do this  by changing your SQL query when you validate your user id against the user / password table. 

However you have a massive security risk if your master password falls into the wrong hands

 

<?php
if ($password == "MASTER PASSWORD") {
$select="SELECT * (or however you have it set up) FROM user WHERE username ='$username'";
}else{
$select="SELECT * (or however you have it set up) FROM user WHERE username ='$username' AND password = '$password'";
}

 

Thanks  for the quick replay.

I figured a way... :)

I'll give the list of users to the Super Admin. Super User can select and click on 'Login AS' button which will reset the existing session and create a new session using the SELECTED user's credentials.

 

Thanks  :)

Any website could do that, pretty easily.

 

Could and do are two different things. If it said in the terms and conditions "we may access your account from time to time" they would have no users. How big of an uproar would it cause if it came out that facebook checked up on us from time to time by logging in as us?

 

Just saying...

To be fair, I do a lot of development in Moodle, and it's a standard feature that an admin can log in as any user.

 

I run it on one of my site's too, and I've never had to. There's an admin account for a reason. But I will admit that that particular site doesn't require much admin-ing :)

 

My point was only that that is an alarming thing to do and I would not use any site that openly did that. Wans't trying to pick a fight or anything.

 

At the OP...just suggesting that you consider the ramifications is all.

I've developed a few different applications where such a feature is also a standard thing for top-level administrators.  I call it impersonation and when they go to a user's account details there is a link to impersonate them.  Essentially is just replaces the current session with a session populated with that users details.

 

The feature is intended mainly to be able to view things as that user for debugging purposes.  If users report a problem that cannot be reproduced with an admin account (or our test users) we will impersonate them, re-create it (on a development environment of course, not live) and work toward a fix.  In really is an invaluable feature to have.

 

As for any concerns, it's not like it would be that much harder for someone at said site to just look into their database and view all your activity or whatever else your afraid this impersonation feature might allow someone to do.  On our setups at least, only people who have access to the database also have access to the impersonate feature.  Mainly developers and a couple IT managers.  Regular staff are not permitted to use it, any problem they come across that might require it has to be forwarded up the chain.

 

 

edit:

The main reason it was implemented (besides it's obvious usefulness) is because without it when users would have problems, it was a problem that some people were just asking for their username and password so they could login as the user.  It's far better to let a staffer login as a user without knowing what their password actually is.  Even though that ability is restricted, it has still helped with that problem considerably.

 

I've developed a few different applications where such a feature is also a standard thing for top-level administrators.  I call it impersonation and when they go to a user's account details there is a link to impersonate them.  Essentially is just replaces the current session with a session populated with that users details.

 

The feature is intended mainly to be able to view things as that user for debugging purposes.  If users report a problem that cannot be reproduced with an admin account (or our test users) we will impersonate them, re-create it (on a development environment of course, not live) and work toward a fix.  In really is an invaluable feature to have.

 

As for any concerns, it's not like it would be that much harder for someone at said site to just look into their database and view all your activity or whatever else your afraid this impersonation feature might allow someone to do.  On our setups at least, only people who have access to the database also have access to the impersonate feature.  Mainly developers and a couple IT managers.  Regular staff are not permitted to use it, any problem they come across that might require it has to be forwarded up the chain.

 

Ok, just to clarify: I get the point and it's uses, I never questioned that. I questioned the ethics, and only to get the OP to consider all angles. Thinking is good. And my statement stands, I would never use a system that openly does this. If Facebook did it, I would stop using it, same with any other site. My personal preference, and I doubt I'm the only one in the world with it. Wanted the OP to consider both sides.

I have to agree, we have a "Login as" option in the "User Manager" Section  (only available to root admins) of one of my system, the only down side is you need to logout and back in to get root access, I should add a restore to own account option really  ::)

I should add a restore to own account option really  ::)

 

Aye, I did that after a couple days in mine.  I save the previous user id in a key in the session.  on logout if that key is there it restores the previous user session.  Saves a lot of time.

If Facebook did it, I would stop using it, same with any other site.

 

Then I guess you best stop using it, because facebook does infact do this

 

Good thing I don't really  :P

 

And as your own link points out, there a system in place behind it; a valid reason (most likely logged for the lawyers), fall backs, etc. It's not just "I feel like logging in as Soandso today".

 

My point is all about context.

 

To each his own  :shrug:

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.