Hi guys I some help managing if we could say a user Session Impersonation
I have role schema implemented in my application, to keep it simple lets say that I have 2 roles
when a user log into the system they got redirected to their specific module EX: if the user is an administrator they got redirect to the admin section, so far no problem at all this is just to give you some context.
One of the features for the system administrator is the ability to impersonate a Normal user Account that way they can perform any action as a regular user, the way that I did it was simple I just logged the system admin and re-authenticate as the user, the problem is when the same administrator want to be in more than one account at the same time, following that method I override the cookie session with the latest information so if I have 2 tabs for example and I decided to go to a previous tab when I refresh the tab the information that the system admin will get is the latest, so I was thinking about the possibility of trying to mix cookieless sessions to get all information into the url to in theory have multiple asp.net sessions.
so the question is if that's possible, if the system is using cookie storage by default, can I have both system running at the same time? can I have the cookie system by default and set the cookieless system via programming?
I just don't want to pass manually the user Id among all the actions and persist that information via query-string myself because at this stage that will practically break my code and I'll have to refactor a huge section of the system
Any comment will be totally welcome!
It's not possible to have two identities open at the same time in the same browser.
Two alternatives come to my head:
This looks pretty old, but in case someone is wondering, you can replace the user's identity during the AuthenticateRequest
event in the application life-cycle with a GenericIdentity
and GenericPrincipal
or your own classes that implement the IPrincipal
and IIdentity
interfaces. How you determine which requests should change identity and which shouldn't could be based on a session variable (I tend to avoid these whenever possible) for impersonating in all windows/tabs, or perhaps a query string or form field to make specific tabs/windows function as the other user. Setting HttpContext.Current.User
is temporary to the duration of the request and does not change their FormsAuthentication
cookie.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.