tags:

views:

171

answers:

2
Q: 

ASP.NET Membership/Roles/FormsAuth - how can I login as a super-user?

I'm working on a web application that uses the ASP.NET 2.0 Membership and Roles providers with Forms Authentication. There are various roles in the system. I need to have a user role that is essentially a super-user that can "login" as any user account (in effect impersonating the user).

Does anyone know if this is possible using the providers? Any ideas?

One approach I was thinking of was to logout the super-user and sign them in as the desired user with

FormsAuthentication.SetAuthCookie(username, false);

And adding a variable to their Session to flag them as a super-user. I think this would work, but I was just wondering if there's a smarter way to do it without directly using the Session object?

A: 

Why don't you have a SuperUser role that can do anything? Then the user can be just part of that role.

If what you really need to have is an ability for an administrator to impersonate someone else, I don't know what is the additional flag for? If it marks the currently logged in user giving him super powers the same will be achieved by setting up a role. If you, however, need to just impersonate someone else (e.g. this is help desk and you need to see exactly the same as the end user sees) - I would just check the credentials normally, then check if a superuser is logging in and who they want to impersonate and based on that just authenticate the logging in user as the one that he's willing to impersonate.

I hope what I wrote makes sense...

Pawel Krakowiak  2009-02-25 15:44:42
Hi Pawel. Thanks for your feedback. I mightn't have explained it properly - the site uses Personalisation so that a view is different for each user and this is leveraged by using HttpContext.Current.User.I need this to be the logged-in user, but also know that it is a super-user.
Andrew Corkery  2009-02-25 16:00:33
A: 

Asp.net approach doesn't support the concept, so you are right on trying to find an alternate way. Something that you can do is add the IsSuperUser info to the authentication ticket UserData property.

eglasius  2009-02-25 17:12:53
Thanks Freddy, I think I will go with this suggestion. Storing this information in the authentication ticket seems the most correct place for it.
Andrew Corkery  2009-02-26 09:21:45

related questions

after running aspnet_regsql.exe , do I have to init the db with data? how?
Not using e-mail address in a custom MembershipProvider?
How to pass the current user to a web control declaratively
How do you rename a Role using Membership in .NET?
What encryption algorithm does the .net membership provider use?
Membership.GetUser() & MARS
Web.config editing for Membership Role Authorization
Globalization of Membership exceptions isn't taking place... What to do?
OpenId development while disconnected from Internet
programmatic login with .net membership provider
Addin extra properties to MembershipProvider
ASP.Net Providers from web server in DMZ
ASP.NET PasswordRecovery Control with Localized content
Examples of asp.net mvc and authentication
ASP.NET Membership for high security scenarios?
ASP.NET Forms Authentication With Only UserName
What to use for membership in ASP.NET
How can I wrap a transaction around Membership.CreateUser?
New site creation and security/authentication,- should I use ASP.net Membership Provider?
ASP.NET WSAT (Website Administration Tool) and Custom Membership Providers
How do you manage asp.net SQL membership roles/users in production?
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
Can I use OpenId with the ASP MembershipProvider?
How do you pass an authenticaticated session between app domains
Class design decision