How would you implement "view site as a different user" feature?

Question

We are in the process of designing a feature for a site that should allow some staff members to view our site as another registered user. I would really love to hear from people who already thought about this kind of functionality or implemented something like this.

This should be a community wiki. And I will mark it as one when it'll be possible.

Answer 1

I've done this two ways in the past.

The easiest was to just allow people of sufficient privilege to log in as an arbitrary user without a password. It's just an in-session login, completely replacing who-you-were with who-you're-pretending-to-be. You return to yourself by logging out and logging in again.

The other was to keep a flag in session saying "I'm really user ABC" and check for that flag on appropriate admin pages (the mechanism is irrelevant, but can generally be done cleverly and essentially invisibly in most frameworks) but switch the session user to user XYZ. The same "skip the password" mechanism would be used as in the first.

The latter is more complex, but obviates the need to logout/login, and allows nice tricks, like running the site inside an iframe and keeping an admin menu visible to "drop out" of the special mode and so on.

Answer 2

i've seen two ways:

1. url parameter 'changeToUser=login'. filter verifies if you have enough permission to change your identity and then switches, let's say, your principal in spring. if you need, you can add flag to session that indicates your real id and that you have rights to switch again and again. without the flag you won't be able to switch again without loggin off. this method is extremely useful when testing flow application (1st user does sth, then 2nd user respond etc). on dev/uat server your application may render proper links which lets you switch to the user you need with one click

2. you change your id during logging in. you use faked login e.g. my-login#login-of-user-i--pretend and your real password. you just add another authenticator in chain, before your ldap authenticator (or whatever you use)

the second is comfortable for small application without flows/jbpm processes and when you rather use this feature to do something because the real user is sick/out of office and can't log in at the moment. but when you want to test flow application, which requires a lot of switches then the first solution is way better, especialy with rendered links