Impersonating another user


https://forum.kartris.com/Topic6909.aspx
Print Topic | Close Window

By Supermac - Tue 23 May 2017
I need to grant an access to an user (an agent) that has then to select one of his customers and navigate the site/see prices/create orders as he was that customer...

Lets say that I got both agent and customers stored in Kartris' users table and that I can already link agent with his customers: agent could decide to create an order for one of his customer selecting customer's name from a dropdown list (I don't want to give agent all customers' username and pwd and tell him to log in again using credentials of customer)... after that operation agent should see the site as he was the customer (so he should even "temporarely" belong to customer's customerGroup, add items to basket and complete order, see orders history, etc...).

My problem is how to tell Kartris that agent is navigating/seeing prices/ordering with customer account (I think I should effectively use customer account having a session variable that flags user as agent)... every suggestion on how to reach that result is welcome.
By Tiggywiggler - Wed 24 May 2017
Would you be happy for the agent to be logged in as the customer even without being given the username / password?

You could directly instruct the login system to load the security profile of the customer against the session being used by the agent and then every request that the agent makes to the ASP.Net application will have a authentication cookie that maps to the customer.

Of course, the agent has access to all of the customer's information etc. as if he was the customer, but the credentials are not shared.

You may be able to use FormsAuthentication.SetAuthCookie(strFldEmailAddress, True) where strFldEmailAddress is the customers email address.
By Mart - Wed 24 May 2017
Tiggywiggler (24/05/2017)
Would you be happy for the agent to be logged in as the customer even without being given the username / password?

You could directly instruct the login system to load the security profile of the customer against the session being used by the agent and then every request that the agent makes to the ASP.Net application will have a authentication cookie that maps to the customer.


We actually do something quite similar to this with our recruitment (job board) software. An admin in the backend can search for candidates, or recruiters/employers. There is then a small button by the results to enable the admin to login as that user. It uses the password hash to login which it pulls from the client/candidate's record - since it uses a special back end login page to do that it doesn't hash the entered value (since its already hashed). It would be effectively like enabling you to login as a customer by using their hashed, rather than unhashed password. Since this script is a back end one the person using it must be logged into the backend (and hence having authenticated with an admin password).

The admin of course never knows the original plain text password (as in theory that is impossible to obtain).

I guess it would be a useful feature on Kartris. Our recruitment software is much older so its classic asp, but I don't think it would be a massive task to rewrite the code in asp.net.
By Supermac - Mon 29 May 2017
Thank you for your kind answers (a notifications system by email in this forum would be a good add on).

I need the agent use the site/catalog by frontend, I don't want to give him a backend access... I already realized a "frankenstein"-mix of front/backend that allows an authorized user to enter an order in frontend using backend new order form (in which he can select customer and insert items in basket) temporarely adopting the admin cookie but I'm not happy of result.

I'll have a look to FormsAuthentication.SetAuthCookie way suggested by Tiggy and eventually ask for further tips, thank you both!