Impersonating another user

Tiggywiggler (24/05/2017)

Would you be happy for the agent to be logged in as the customer even without being given the username / password?

You could directly instruct the login system to load the security profile of the customer against the session being used by the agent and then every request that the agent makes to the ASP.Net application will have a authentication cookie that maps to the customer.

We actually do something quite similar to this with our recruitment (job board) software. An admin in the backend can search for candidates, or recruiters/employers. There is then a small button by the results to enable the admin to login as that user. It uses the password hash to login which it pulls from the client/candidate's record - since it uses a special back end login page to do that it doesn't hash the entered value (since its already hashed). It would be effectively like enabling you to login as a customer by using their hashed, rather than unhashed password. Since this script is a back end one the person using it must be logged into the backend (and hence having authenticated with an admin password).

The admin of course never knows the original plain text password (as in theory that is impossible to obtain).

I guess it would be a useful feature on Kartris. Our recruitment software is much older so its classic asp, but I don't think it would be a massive task to rewrite the code in asp.net.

Author	Message
Supermac	Posted Tue 23 May 2017
Supreme Being Group: Forum Members Last Active: Wed 22 Jul 2020 Posts: 153, Visits: 874 84,801	I need to grant an access to an user (an agent) that has then to select one of his customers and navigate the site/see prices/create orders as he was that customer... Lets say that I got both agent and customers stored in Kartris' users table and that I can already link agent with his customers: agent could decide to create an order for one of his customer selecting customer's name from a dropdown list (I don't want to give agent all customers' username and pwd and tell him to log in again using credentials of customer)... after that operation agent should see the site as he was the customer (so he should even "temporarely" belong to customer's customerGroup, add items to basket and complete order, see orders history, etc...). My problem is how to tell Kartris that agent is navigating/seeing prices/ordering with customer account (I think I should effectively use customer account having a session variable that flags user as agent)... every suggestion on how to reach that result is welcome.
	REPLY QUOTE LIKE 370
Tiggywiggler	Posted Wed 24 May 2017
Supreme Being Group: Forum Members Last Active: Mon 6 Dec 2021 Posts: 235, Visits: 750 124,050	Would you be happy for the agent to be logged in as the customer even without being given the username / password? You could directly instruct the login system to load the security profile of the customer against the session being used by the agent and then every request that the agent makes to the ASP.Net application will have a authentication cookie that maps to the customer. Of course, the agent has access to all of the customer's information etc. as if he was the customer, but the credentials are not shared. You may be able to use FormsAuthentication.SetAuthCookie(strFldEmailAddress, True) where strFldEmailAddress is the customers email address. We are always willing to help out the community or pitch in to help you fix a problem. However, if you want a complete solution made such as a code module or new feature added you have two options. Either 1) Reach out to the Kartris internal development team at http://www.kartris.com/Contact.aspx. 2) Contact one of the Kartris approved partners at http://www.kartris.com/t-Worldwide-Developers.aspx. Have fun and good luck coding.
	REPLY QUOTE LIKE 340
Mart	Posted Wed 24 May 2017
Top Banana Group: Administrators Last Active: Wed 18 Nov 2020 Posts: 148, Visits: 3,450 98,209	Tiggywiggler (24/05/2017) Would you be happy for the agent to be logged in as the customer even without being given the username / password? You could directly instruct the login system to load the security profile of the customer against the session being used by the agent and then every request that the agent makes to the ASP.Net application will have a authentication cookie that maps to the customer. We actually do something quite similar to this with our recruitment (job board) software. An admin in the backend can search for candidates, or recruiters/employers. There is then a small button by the results to enable the admin to login as that user. It uses the password hash to login which it pulls from the client/candidate's record - since it uses a special back end login page to do that it doesn't hash the entered value (since its already hashed). It would be effectively like enabling you to login as a customer by using their hashed, rather than unhashed password. Since this script is a back end one the person using it must be logged into the backend (and hence having authenticated with an admin password). The admin of course never knows the original plain text password (as in theory that is impossible to obtain). I guess it would be a useful feature on Kartris. Our recruitment software is much older so its classic asp, but I don't think it would be a massive task to rewrite the code in asp.net. Edited Wed 24 May 2017 by Mart
	REPLY QUOTE LIKE 326
Supermac	Posted Mon 29 May 2017
Supreme Being Group: Forum Members Last Active: Wed 22 Jul 2020 Posts: 153, Visits: 874 84,801	Thank you for your kind answers (a notifications system by email in this forum would be a good add on). I need the agent use the site/catalog by frontend, I don't want to give him a backend access... I already realized a "frankenstein"-mix of front/backend that allows an authorized user to enter an order in frontend using backend new order form (in which he can select customer and insert items in basket) temporarely adopting the admin cookie but I'm not happy of result. I'll have a look to FormsAuthentication.SetAuthCookie way suggested by Tiggy and eventually ask for further tips, thank you both!
	REPLY QUOTE LIKE 340

Impersonating another user

Impersonating another user

Similar Topics

Reading This Topic