Admin access to edit profile of any user - Issue with session

Question

I have made a PHP application which will be used by many users. When a user logins, i create a session and keep the user id and some other details in the session. There are some ajax requests when the user edits his profile. So in no way i am exposing the user id. But i always refer to the session. Even when the user saves his profile, the controller gets the id from session and then passes it to the model.

Now there is an admin, who should be able to view/edit any profile. This is done. I have a admin page with a user table. When he clicks on any player, it goes to another controller, which creates the session for that user and then admin can edit the profile. Any requests that go from the admin page, the session is first erased keeping the admin variable active and then the user session is appended.

Problem: When the admin tries to view multiple profiles at once, he can do that. But when the admin tries to edit multiple profiles at the same time(open new browser tabs for each user), it fails because the the last tab what he opens sets the new session for that particular user.

How can I get over this scenario ? What options do i have ? Is it possible ?

I don't want to append user'ids on all urls. They are not safe, especially for urls which do update/delete.

Answer 1

The short answer:

if it is under the admin panel you may pass the id of an user, it is safe, you trust your admins right?

Long answer (my own idea):

Store the reference, unique id to the user, and pair it with the session variable. For instance:

$_SESSION['editing_users'][YOUR_USER_ID] = uniqid();

then print it in the form.

After submitting the form you should get the variable, passed via input with hidden attribute. Find the unique id in your session array, and get ID of the target user from the key.