cakephp admin login as another user without using password

Question

i am creating a cakephp application that should allow admin to login as any user in the site without knowing the password. Basically if admin wants to login as a manager, he can simply click a button to login as a manager.

thank you

Answer 1

I call this user-switching. I implemented this using my DirectAuth: https://github.com/dereuromark/cakephp-tools/blob/cake2/Controller/Component/Auth/DirectAuthenticate.php

But you can also simply

a) login as admin

b) have a form with all users to select the one you want to switch to

c) switch via POST, read the user + $this->Auth->login($userData)

login() with data passed will overwrite the current session data and therefore automatically log you in as this user. just make sure that only the admin role can access the switch action.

side notes:

• store sth like Auth.Admin.id in the session if you want to be able to switch back (will remember the original Auth.User.id) - if existent this id could then also have access to the switch action to jump back to the admin.

• use this Auth.Admin.id to identify wether you are currently the real one or the fake one. this is handy if you do NOT want to trigger certain things like "online activity update" or "message read" etc which only the real user should IMO. this way you can prevent this.

Answer 2

You can simply use following code. Previous Admin Session Will be overwrite. FurtherMore by using is_manager_login in session you can automatically sign in a admin when admin logout as manager.

$manager_info = $this->User->find('first',
                                        array(
                                             'conditions' =>array('User.email'=>$managerEmail)
                                             )
                             );  

    if (!empty($manager_info))
     {

                    $this->Auth->login($manager_info['User']);
                    $this->Session->write('is_manager_login')=true;


    }