ASP.NET Allow Admin Users Access Basic Users Accounts

Question

Hello,

We have an ASP.Net web application currently released to the public, that uses Membership and Provider features and have our users assign to a "Basic" role. What we are working on doing is developing an administrative site, so that administrators (presumably to be assigned an "Admin" role) are able to login to the administrative site, where they will have access to a list of users in the "Basic" role.

From the admin site, we want to allow the administrators to click on any of the "Basic" users and effectively be logged into there account (loading the user's profile information in the process, as is the case when a "Basic" user logs in), while still remaining logged into the administrative account.

Can anyone please suggest a way to do the above?

Any help would be appreciated.

Thanks, Brent

Answer 1

Ok, let's assume that authentication is not a problem, e.g. you either have encrypted passwords that you can munge around to effect a login or some other method of authenticating as another user whose password you do not (SHOULD NOT) have.

That is the easy part.

The hard part is that you absolutely cannot have 2 principal/identity. e.g. Request.User, which is what all of the membership, roles and profiles works off of. It is simply impossible.

A possible solution is to create a very secured bootstrap page that accepts params such as the userid only and can authenticate.

Embed an IFrame in your administrative page, send it to the right url and browse as the user in the context of the IFrame, which should not share cookies with the parent.

Mind you, this is just an off the top of my head workaround, there are sure to be issues with this approach even it could solve your problem.