Home/ Questions/Q 617931
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T18:29:21+00:00

In our application, we have a need for a user to impersonate a different

  • 0

In our application, we have a need for a user to “impersonate” a different user. Think of it as a hierarchy — Bob is above Frank in a hierarchy. Bob is logged in, and he needs to do things in the system for a short time as Frank. So, we have given Bob a list of users that report to him, and an impersonate link. He clicks on this link, and, behind the scenes, I log Bob out, and log in as Frank. I also set a session variable that tells me that really Bob is they guy who is the user. Also, Bob (acting as Frank now) has a nice little link at the top of every page that says “Stop Impersonation.”

In addition, when Bob is impersonating Frank, Bob is restricted from doing some things, like changing Frank’s password.

This was working great, until we encountered a situation where, if the session (I think — getting confused here) gets destroyed (such as when I copy up new code and dlls to the live site), then when Bob clicks on “Stop Impersonation” he gets redirected to the default page, and is still logged in as Frank, but without the Impersonation session variable. So, now Bob really is logged in as Frank, and can change Frank’s password (among other things).

How is it that a session variable (Impersonation) gets destroyed, but I guess the session is still hanging around, because it doesn’t make the user log in again?

This is a somewhat serious bug for how our system works (bug in our code, I’m sure, not in .Net). Does anyone have any suggestions for a solution for this?

We are using ASP.Net c#, aspnet membership services, .net 3.5, forms auth…not sure what else you need to know.

EDIT: Updated information. Looks like when “something” happens, for instance, when I recompile some dlls and copy them to the webserver, the session gets dumped. Or, rather, the variables in the session get dumped. The session id stays the same. I do get to check for Session.IsNewSession and it returns true, even though the id is the same as it was before.

Just like Utaal mentioned, Membership Services is separate from Session, so it’s forms auth token is still hanging around in the browser, but my session variable telling me that that isn’t really the user who is controlling the browser isn’t there anymore.

EDIT: Sky, here is what I’m doing to authenticate a user. I can’t figure out where I would insert a ticket into this flow:

if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
    FormsAuthentication.SetAuthCookie(txtUserName.Text, false);

So, where can I slip in a ticket object and set my own information?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Matt,
    Use the UserData slot on the forms ticket to store the impersonation information. That is what it is for.

    Then your info will not get lost with the session.

    If you would like a simple example of creating your own ticket, amongst other things, check this. You may want to focus on the login page and the tickethelper class.

    • 0