Asp.net MVC Multiple User Sessions / User Impersonation

Question

Hi guys I some help managing if we could say a user Session Impersonation

I have role schema implemented in my application, to keep it simple lets say that I have 2 roles

• System Admin
• Normal User

when a user log into the system they got redirected to their specific module EX: if the user is an administrator they got redirect to the admin section, so far no problem at all this is just to give you some context.

One of the features for the system administrator is the ability to impersonate a Normal user Account that way they can perform any action as a regular user, the way that I did it was simple I just logged the system admin and re-authenticate as the user, the problem is when the same administrator want to be in more than one account at the same time, following that method I override the cookie session with the latest information so if I have 2 tabs for example and I decided to go to a previous tab when I refresh the tab the information that the system admin will get is the latest, so I was thinking about the possibility of trying to mix cookieless sessions to get all information into the url to in theory have multiple asp.net sessions.

so the question is if that's possible, if the system is using cookie storage by default, can I have both system running at the same time? can I have the cookie system by default and set the cookieless system via programming?

I just don't want to pass manually the user Id among all the actions and persist that information via query-string myself because at this stage that will practically break my code and I'll have to refactor a huge section of the system

Any comment will be totally welcome!

Answer 1

It's not possible to have two identities open at the same time in the same browser.

Two alternatives come to my head:

• Ask the admin to open other browser or the same browser with different user (in the case of Chrome) to operate two identities at the same time.
• Change the approach of your app: Instead of changing the identity, offer the admin a dropdown with the users. The action will be executed using that user for retrieving the data or whatever. (of course depends of your app)

Answer 2

This looks pretty old, but in case someone is wondering, you can replace the user's identity during the AuthenticateRequest event in the application life-cycle with a GenericIdentity and GenericPrincipal or your own classes that implement the IPrincipal and IIdentity interfaces. How you determine which requests should change identity and which shouldn't could be based on a session variable (I tend to avoid these whenever possible) for impersonating in all windows/tabs, or perhaps a query string or form field to make specific tabs/windows function as the other user. Setting HttpContext.Current.User is temporary to the duration of the request and does not change their FormsAuthentication cookie.