SitePoint Sponsor

User Tag List

Results 1 to 23 of 23
  1. #1
    SitePoint Member mike101's Avatar
    Join Date
    Jul 2004
    Location
    England
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Administrator logging in as a user - where to start?

    OK. See how this grabs ya!

    I've built a lovely membership system for my client where members are granted access to particular folders on his website. I've created an admin section so he can communicate with his members, change member details, suspend/add/delete/upgrade a member, etc etc . . .

    He's just asked for a feature that will allow him, from the admin section, log into the member center as a user.

    I've seen this feature on some control panels like DirectAdmin, and Modern Bill but I'm not sure where to start? Any ideas?

    Would appreciate any pointers! Got my head in as many PHP books as I have on my shelf and will update if I find an answer - in the meantime anyone done this already?

    Thanks!
    FD19.NET: Smarter Hosting Solutions
    RHEL - DirectAdmin - Support 24/7
    http://www.fd19.net

  2. #2
    simple tester McGruff's Avatar
    Join Date
    Sep 2003
    Location
    Glasgow
    Posts
    1,690
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not sure what the problem is - can't you just create a user account for him and add the user login link to the admin page? You'd also need to cancel his current status, eg if this is recorded in a session var, unset the var.

  3. #3
    SitePoint Member mike101's Avatar
    Join Date
    Jul 2004
    Location
    England
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    I'm not sure if I'm either over complicating things or if you've misunderstood me.

    Here's a scenario to illustrate what I need:

    My client logs into the admin section of the membership center. He clicks "List all members" to get a list of all current members in the database. He currently has the option to "EDIT" the member "DELETE" the member of "SUSPEND" the member.

    He also wants another option in that list to "LOGIN AS THIS MEMBER" so he can login to the membership center as that user rather than having to lookup the users username and password, going to the login screen and manually logging in as that user. In fact he can't lookup the users password even if he wantd to because they're all stored in the DB as md5 passes.

    Does that make sense?

    Thanks for the response!
    FD19.NET: Smarter Hosting Solutions
    RHEL - DirectAdmin - Support 24/7
    http://www.fd19.net

  4. #4
    SitePoint Guru
    Join Date
    Dec 2003
    Location
    oz
    Posts
    819
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, that sounds pretty dodgy. There's a reason the password's are md5'd - it's so no one can login as the user. You should make sure that users know that someone can access their details before they sign up or join.

    That aside, couldn't you just login as that user the same way. For example, if you check the username and pass when a user is logging in, and then if correct, you put the users user_id in a session, couldnt you just replace the admin's user_id with the user_to_be_spoofed's user_id in the session?

  5. #5
    SitePoint Wizard Crowe's Avatar
    Join Date
    Nov 2001
    Location
    Huntsville
    Posts
    1,117
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    You could also check username & master password. This is how cpanel does it, among others.

    First it checks to see if user & password match, if password doesn't match, check and see if it's the "master password".
    Chrispian H. Burks
    Nothing To Say

  6. #6
    SitePoint Member mike101's Avatar
    Join Date
    Jul 2004
    Location
    England
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, that sounds pretty dodgy
    You think? If it does I think you may have missed the point entirely. Probably me not explaining it properly!

    There's a reason the password's are md5'd - it's so no one can login as the user
    Yep. I know that. I built this system plus that's the reason I'm trying to give the admin a way to login without "knowing" the password

    You should make sure that users know that someone can access their details before they sign up or join.
    The only "someone" that can access their details is the administrator - the adminstrator being the guy who is *supposed* to have access to his members details?



    First it checks to see if user & password match, if password doesn't match, check and see if it's the "master password".
    Thanks for that crowe! I didn't know that's how Cpanel did it.

    That's given me the idea I needed!
    FD19.NET: Smarter Hosting Solutions
    RHEL - DirectAdmin - Support 24/7
    http://www.fd19.net

  7. #7
    SitePoint Zealot
    Join Date
    Jun 2004
    Location
    Kansas City, MO
    Posts
    143
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Another thing you could do is overwrite his session or cookie values with the values necessary for the user to login. That's how my forum software does it. If I want to login as a diferent user it resets my cookie to have that user's credintals rather than my admin credintals.

  8. #8
    SitePoint Zealot
    Join Date
    Jun 2003
    Location
    Elsewhere
    Posts
    107
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mike101
    He's just asked for a feature that will allow him, from the admin section, log into the member center as a user.
    Mike, I have two questions:

    1. Does your client really want to log in as a particular user, or does he just want to assume the identity of that user? If he just wants to use the identity, it's probably better to simply replace the user_id in the administrator's session.
    2. Why? I can't think of any circumstances where an administrator would want to become another user; if the admin needs to edit a user's profile, it makes more sense (to me) to create an 'Edit user profile' option in the admin section.

    I have to agree with lazy_yogi: this sounds pretty dodgy. Everybody knows administrators have almost unlimited control over the content on their site, but that's not the same as taking on the identity of someone else. Normally, administrators are prevented from posting content using the identity of someone else (although they can change existing content by that user). If you allow administrators to become other users, then there's no way you can prevent that user (who is really the admin) from submitting content as himself (which he isn't).

  9. #9
    SitePoint Member mike101's Avatar
    Join Date
    Jul 2004
    Location
    England
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have to agree with lazy_yogi: this sounds pretty dodgy.
    Are you guys kidding me???

    Have you ever heard of Cpanel? Arguably one of the most commonly used and popular control panels on the planet! Is Cpanel dodgy by allowing this feature? Have you ever heard of DirectAdmin? A close runner up to Cpanel in terms of popularity that also allows this feature. Is DirectAdmin Dodgy?

    ModernBill is considered by many as the industry standard in client-billing for hosting companies the world over. The modern bill system ALSO has this feature? Does that make THEM dodgy too??

    FAR FAR FAR from being dodgy it's a hugely useful feature! A client calls/emails/whatever and has the following conversation with my adminstrator:

    =>client: HEY! Everytime I try to add a widget the membership system gives me an error

    =>administrator: Well, if you give me your username and password I'll be able to log in and take a look for you

    =>client: Do I have to? I'm not sure I'm comfortable giving out my password to anyone! Is there another way?

    =>administrator: You mean a way for me to log into your account and see what the problem is without my knowing your password? Gee, I'm not sure, that sounds pretty dodgy!

    Now do you get it? Having this feature ensures that the adminstrator never knows what the password is!


    Attached directadmin screen shot of the feature I'm wanting:

    ChrisHasenpflug > Thanks for your input! I'm learning this is a session/cookie issue for sure!
    Attached Images Attached Images
    FD19.NET: Smarter Hosting Solutions
    RHEL - DirectAdmin - Support 24/7
    http://www.fd19.net

  10. #10
    eschew sesquipedalians silver trophy sweatje's Avatar
    Join Date
    Jun 2003
    Location
    Iowa, USA
    Posts
    3,749
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree with lazy_yogi and Azmo, it does look a bit dodgy. In the senario you provided, I would have the admin override the password to a new value, and then login. At least everyone is clear what is going on then. As long as the user can go back in and reset the password it should not be a problem.
    Jason Sweat ZCE - jsweat_php@yahoo.com
    Book: PHP Patterns
    Good Stuff: SimpleTest PHPUnit FireFox ADOdb YUI
    Detestable (adjective): software that isn't testable.

  11. #11
    Non-Member
    Join Date
    Jan 2004
    Location
    Planet Earth
    Posts
    1,764
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Dodgy ?? Definitely

    For one I couldn't see myself using software that has this feature as looking at it, it's a blatant security breach

    Just give permissions to the Administrator so s/he can edit, delete, etc as required as suggested above, and leave it at that

  12. #12
    SitePoint Zealot sike's Avatar
    Join Date
    Oct 2002
    Posts
    174
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Dodgy?

    no. just go and work in first level support a few weeks

    Sike

  13. #13
    Employed Again Viflux's Avatar
    Join Date
    May 2003
    Location
    London, On.
    Posts
    1,130
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mike101
    =>client: HEY! Everytime I try to add a widget the membership system gives me an error

    =>administrator: Well, if you give me your username and password I'll be able to log in and take a look for you

    =>client: Do I have to? I'm not sure I'm comfortable giving out my password to anyone! Is there another way?
    =>administrator: Don't worry, I've coded it so that I can login as you without knowing your password.

    =>client: So you can go into my account and view/change everything I have in there?

    =>administrator: Exactly!



    Dodgy indeed.

  14. #14
    SitePoint Zealot sike's Avatar
    Join Date
    Oct 2002
    Posts
    174
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    errrm ?

    my clients are smart enough to know that i could dump the database and / or change everthing i want. so whats the deal?

    Sike

  15. #15
    Employed Again Viflux's Avatar
    Join Date
    May 2003
    Location
    London, On.
    Posts
    1,130
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not every administrator in a web application has access to the database.

  16. #16
    SitePoint Wizard Crowe's Avatar
    Join Date
    Nov 2001
    Location
    Huntsville
    Posts
    1,117
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    You people have gone crazy. Every major system developed has a way for the admin to log in as the user. Unix (SU anyone?) This thread has become almost funny, if it wasn't so sad.
    Chrispian H. Burks
    Nothing To Say

  17. #17
    Employed Again Viflux's Avatar
    Join Date
    May 2003
    Location
    London, On.
    Posts
    1,130
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But for someone to use SU on a UNIX/Linux system, you need either physical access to the box, or remote access to the box, something the person with physical access would have to permit.

    I agree that an administrator should be able to login as a user, but in a restricted fashion. For example, restrictions against forum posts, editing of details, etc..., should be made.

    It's more an identity theft issue than one of security.

  18. #18
    Non-Member
    Join Date
    Jan 2004
    Location
    Planet Earth
    Posts
    1,764
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's more an identity theft issue than one of security.


    You've hit the nail on the head

    The fact that someone is an Administrator, means by this definition that they administer.

    To do that does not mean that they need to become someone else to do so, regardless of what requirements are.

    My thoughts on the topic anyway

    so whats the deal?
    The deal is that if something goes wrong, who carries the can huh ? ie

    You the administrator, or them (the client) for allowing you the privelege for making a complete **** of something

  19. #19
    eschew sesquipedalians silver trophy sweatje's Avatar
    Join Date
    Jun 2003
    Location
    Iowa, USA
    Posts
    3,749
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Crowe
    You people have gone crazy. Every major system developed has a way for the admin to log in as the user. Unix (SU anyone?) This thread has become almost funny, if it wasn't so sad.
    Both su and sudo log into the system messages for auditing purposes as well. I did not see that requirement mentioned in the requested web site feature.

    I suspect that many people here do not work in corporate environments that are subject to the new US Sarbanes-Oxley legislation or issues like this would likely not even be raised. We have both internal and external auditor crawling all over us on a variety of issues, including application security.

  20. #20
    SitePoint Member mike101's Avatar
    Join Date
    Jul 2004
    Location
    England
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You people have gone crazy. Every major system developed has a way for the admin to log in as the user. Unix (SU anyone?) This thread has become almost funny, if it wasn't so sad.
    nuff said!
    FD19.NET: Smarter Hosting Solutions
    RHEL - DirectAdmin - Support 24/7
    http://www.fd19.net

  21. #21
    ********* wombat firepages's Avatar
    Join Date
    Jul 2000
    Location
    Perth Australia
    Posts
    1,717
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    assuming you use different authentication for admin as opposed to users I do not see the problem ? , you do not need to know the users password.

    when checking for login status on a protected page simply check for admin status first , if such exists start the user session, then admin has both user and admin sessions and can act as both.

    you will have to modify your user login routine to start a user session without a password (if admin status exists)

    also (and yes I have been there) if you log/track user activity or modification times etc you will have to modify those routines as well if an admin session exists.

    If you use the same authentication system for admin as users then you have problems

  22. #22
    SitePoint Member mike101's Avatar
    Join Date
    Jul 2004
    Location
    England
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you do not need to know the users password.
    Hadn't considered that!

    you will have to modify your user login routine to start a user session without a password (if admin status exists)
    Precisely the instruction/tip I was looking for

    if you log/track user activity or modification times etc you will have to modify those routines as well if an admin session exists.
    Doesn't apply in this case but thanks for the extra pointer.

    NOW I'm excited!! Thanks for that non-alarmist response . . . I'll let you all know how I get on!

    FD19.NET: Smarter Hosting Solutions
    RHEL - DirectAdmin - Support 24/7
    http://www.fd19.net

  23. #23
    SitePoint Wizard Crowe's Avatar
    Join Date
    Nov 2001
    Location
    Huntsville
    Posts
    1,117
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Viflux
    But for someone to use SU on a UNIX/Linux system, you need either physical access to the box, or remote access to the box, something the person with physical access would have to permit.

    I agree that an administrator should be able to login as a user, but in a restricted fashion. For example, restrictions against forum posts, editing of details, etc..., should be made.

    It's more an identity theft issue than one of security.

    Certainly! I run writing sites and forums and I can log in as any of my users at any time, but this is an admin feature and used to manage accounts and that sort of thing. The adminstrator has the power to take over posts or do any other admin stuff even without a tool. What people are arguing is pure symantics. If you can't trust the admin where you are then that's another issue. It's not a matter of technology allowing an administrator to "steal" your identity. I'm sure it happens, but it's not the technologies fault. It's the admin who abused the powers. There is every logical and useful reason to have this feature and it doesn't violate any rules or ethics.
    Chrispian H. Burks
    Nothing To Say


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •