Impersonating another user

Posted By Supermac Tue 23 May 2017
Add to Favorites0
Author Message
Supermac
 Posted Tue 23 May 2017
Supreme Being

Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)

Group: Forum Members
Last Active: Wed 22 Jul 2020
Posts: 153, Visits: 874
I need to grant an access to an user (an agent) that has then to select one of his customers and navigate the site/see prices/create orders as he was that customer...

Lets say that I got both agent and customers stored in Kartris' users table and that I can already link agent with his customers: agent could decide to create an order for one of his customer selecting customer's name from a dropdown list (I don't want to give agent all customers' username and pwd and tell him to log in again using credentials of customer)... after that operation agent should see the site as he was the customer (so he should even "temporarely" belong to customer's customerGroup, add items to basket and complete order, see orders history, etc...).

My problem is how to tell Kartris that agent is navigating/seeing prices/ordering with customer account (I think I should effectively use customer account having a session variable that flags user as agent)... every suggestion on how to reach that result is welcome.
Tiggywiggler Marked As Answer
 Posted Wed 24 May 2017
Supreme Being

Supreme Being - (49,394 reputation)Supreme Being - (49,394 reputation)Supreme Being - (49,394 reputation)Supreme Being - (49,394 reputation)Supreme Being - (49,394 reputation)Supreme Being - (49,394 reputation)Supreme Being - (49,394 reputation)Supreme Being - (49,394 reputation)Supreme Being - (49,394 reputation)

Group: Forum Members
Last Active: Sat 29 Jun 2019
Posts: 229, Visits: 746
Would you be happy for the agent to be logged in as the customer even without being given the username / password?

You could directly instruct the login system to load the security profile of the customer against the session being used by the agent and then every request that the agent makes to the ASP.Net application will have a authentication cookie that maps to the customer.

Of course, the agent has access to all of the customer's information etc. as if he was the customer, but the credentials are not shared.

You may be able to use FormsAuthentication.SetAuthCookie(strFldEmailAddress, True) where strFldEmailAddress is the customers email address.


We are always willing to help out the community or pitch in to help you fix a problem. However, if you want a complete solution made such as a code module or new feature added you have two options. Either
1) Reach out to the Kartris internal development team at http://www.kartris.com/Contact.aspx.
2) Contact one of the Kartris approved partners at http://www.kartris.com/t-Worldwide-Developers.aspx.

Have fun and good luck coding.
Mart
 Posted Wed 24 May 2017
Top Banana

Top Banana - (48,365 reputation)Top Banana - (48,365 reputation)Top Banana - (48,365 reputation)Top Banana - (48,365 reputation)Top Banana - (48,365 reputation)Top Banana - (48,365 reputation)Top Banana - (48,365 reputation)Top Banana - (48,365 reputation)Top Banana - (48,365 reputation)

Group: Administrators
Last Active: Wed 18 Nov 2020
Posts: 148, Visits: 3,450
Tiggywiggler (24/05/2017)
Would you be happy for the agent to be logged in as the customer even without being given the username / password?

You could directly instruct the login system to load the security profile of the customer against the session being used by the agent and then every request that the agent makes to the ASP.Net application will have a authentication cookie that maps to the customer.


We actually do something quite similar to this with our recruitment (job board) software. An admin in the backend can search for candidates, or recruiters/employers. There is then a small button by the results to enable the admin to login as that user. It uses the password hash to login which it pulls from the client/candidate's record - since it uses a special back end login page to do that it doesn't hash the entered value (since its already hashed). It would be effectively like enabling you to login as a customer by using their hashed, rather than unhashed password. Since this script is a back end one the person using it must be logged into the backend (and hence having authenticated with an admin password).

The admin of course never knows the original plain text password (as in theory that is impossible to obtain).

I guess it would be a useful feature on Kartris. Our recruitment software is much older so its classic asp, but I don't think it would be a massive task to rewrite the code in asp.net.
Wed 24 May 2017 by Mart
Supermac
 Posted Mon 29 May 2017
Supreme Being

Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)Supreme Being - (33,491 reputation)

Group: Forum Members
Last Active: Wed 22 Jul 2020
Posts: 153, Visits: 874
Thank you for your kind answers (a notifications system by email in this forum would be a good add on).

I need the agent use the site/catalog by frontend, I don't want to give him a backend access... I already realized a "frankenstein"-mix of front/backend that allows an authorized user to enter an order in frontend using backend new order form (in which he can select customer and insert items in basket) temporarely adopting the admin cookie but I'm not happy of result.

I'll have a look to FormsAuthentication.SetAuthCookie way suggested by Tiggy and eventually ask for further tips, thank you both!

Similar Topics

Expand / Collapse

Reading This Topic

Expand / Collapse

Back To Top