views:

141

answers:

2

I am using

FormsAuthentication.SetAuthCookie("username", true );

so that a helpdesk person could impersonate another person's ans go in and see what the account looks like. I as wondering if there is a way my code can determine that this session is running through impersonation (so that I can block a couple of pages and flash a sign saying "You are impersonating this user: username)?

A: 

Check this question and see if it helps How to get Windows user name when identity impersonate=”true” in asp.net?

Shoban
+1  A: 

The best thing to do here is make sure the helpdesk users have to be logged in as themselves before they go to the page that allows them to impersonate another user.

At that point, either save a session variable or send a second cookie down to the browser that identifies who they really are and any other info you need to keep up with. I prefer storing this in session variables because it is more secure and you remain in control of the information on the server.

The rest of your code would work mostly like it does now responding as if the user really were the one they impersonate, but any code that needs to test for impersonation can read the session or alt cookie to know if they are impersonating or not.

Stephen M. Redd