There are many examples about impersonating a user in c# but the thing is you have to provide the domain, username and password of that user.
What I need is a bit different. If we build an app in ASP.NET MVC 5 using membership, let's assume we have the following roles in place:
and users whom belong to different roles.
Now if a user from role User
has some issues with the application, how can I allow a user from Admin
role to impersonate that specific user, without that specific user to give the Admin his username and password?
The main thing is that the Admin
should be able to impersonate any user from the application and be able to browse the application as the user himself.
Is this possible to achieve in MVC?
There are many applications out there that offer this possibility, one of them is Salesforce. And Admin in Salesforce can impersonate any user, and browse/see the application as the user himself. This will allow them to identify and solve possible problems in the application.
Now if a user from role User has some issues with the application, how can I allow a user from Admin role to impersonate that specific user, without that specific user to give the Admin his username and password? ...Is this possible to achieve in MVC?
This can be accomplished without knowing the password of the user to be impersonated, but you do have to know the username of the user to be impersonated.
You can do this with the following using normal Forms Authentication:
FormsAuthentication.SetAuthCookie("username-to-be-impersonated", false);
Of course you would want to protect the entry to this block of code, so that only admins can do the impersonation. You will probably want to do something else like save the admin user's username in session or cookie to help the system know that an impersonation is in progress, and give the user the ability to reverse it when they are done impersonating.
Bottom line is, all the membership system cares about is the auth cookie, and you can write an auth cookie for any username without knowing the user's password.
The process is the same for ASP.NET Identity 2, the difference is just how you write the auth cookie. Note the code below is a snippet based on the comment that @trailmax left in the OP:
// assume you already have references to a UserManager and HttpContext
var userToImpersonate = await userManager
.FindByNameAsync(userNameToImpersonate);
var identityToImpersonate = await userManager
.CreateIdentityAsync(userToImpersonate,
DefaultAuthenticationTypes.ApplicationCookie);
var authenticationManager = httpContext.GetOwinContext().Authentication;
authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
authenticationManager.SignIn(new AuthenticationProperties()
{
IsPersistent = false
}, identityToImpersonate);
You should also have a policy that allows you to somehow get the user's permission before having an admin impersonate their account.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With