I have a control panel that allows admins to enter in certain search criteria about a user for moderation purposes. I almost afraid to admit this on here due to the backlashing I will surely receive, but on this page the admins can look up users passwords, so they can sign in as them for moderation purposes. So before you tear me a new one, let me say that I JUST finished hashing everyones password with sha1 and unique salt!
That being said. I want to allow the admins to be able “become” a user or login as any user they choose.
I am looking for the easiest most secure method on how to do this. Please let me know any information you may need from me for you to be able to better answer my question.
Thanks in advance.
I did this when I designed a high school site. I allowed staff to “proxy” in as another user. However, they would just enter the username, and then it would emulate a session for that user. They would never access the password at any point.
I had a
$USERobject and a$SESSIONobject. The$USERstored the currently active user, and the$SESSIONstored the actual logged in user. Normally, they would be the same, but if a user was proxied in as another user, then$USER->usernamewould not equal$SESSION->usernameand that would allow me to display a banner that said “You are proxied in as USER, to resume your session, click here”