Re: how would you implement user impersonation in database-driven website?

On Jun 5, 12:52 pm, lawpoop <lawp...@xxxxxxxxx> wrote:
On Jun 5, 9:51 am, The Natural Philosopher <t...@xxxxxxxxxxxxxxx>
wrote:



I really don't want to learn their passwords. That's why I want to set
up an impersonation system, so I don't need their passwords.

Well, As I said, logically there are two possibilities.

One is a master key that opens all doors, the other is a one time
password system that the users themselves can give you access to.

I see a third possiblity. if I'm storing authentication credentials in
a database table, I could simply pull the information that the
authentication credentials protect, arbitrarily.

In other words, I do some secure version of "SELECT client_id FROM
users WHERE username = 'x' AND salty_hash = 'y'" to authenticate
someone logging onto the website. For that query to pull a client_id,
someone has to know a good username and password combo, presuming I
have it set up properly. But the whole reason I'm doing that is just
to get a client id.

Since all I want is that client_id , I could design an administrative
interface to select an arbitrary username and do something like
"SELECT client_id FROM users WHERE username = 'x'" without bothering
to know the password. That would give me the ability to impersonate
anybody in the users table.

However, once that page/code/functionality is there, I would worry
about it being hijacked. What if I overlooked something, and a user
found there way onto that page somehow? Bad news.

I presume you have a login page prompting for username / password
and on submit you validate using the 'select ...' statement
and if valid, you set a session variable indicating that the user is
logged in

so using a special login page, you could prompt for your username /
password, and the user's username name
and on submit, validate that your credentials are valid
and set the session variable indicating sucess, including a session
variable for the user's username (which I presume is how you would
impersonate them as they navigate thru the site)
.

Relevant Pages

  • Re: file download
    ... The problem is impersonate got failure. ... after impersonate i writen the username, its shows the current username and ... Most likely they are in a folder that does not ... Noww when I click the download button, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: how to pass nt password ?
    ... > f) the logonuser fucntion requires username, ... > Hope this explains why i want to pass my "password" onto other machines to impersonate. ... Services can have their own credentials. ... So long as the account exists on the local machine, ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Query AD using Integrated Authentication?
    ... trying to do a bind with a username and a blank password. ... The way you have to do this with WIA is to impersonate the logged on user ... the credentials of the current security context (the user you are ... how to pass the username/password information while using Integrated ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: capture window username to imporsonate
    ... special account. ... imagine how insecure the system would be if any program ... at any time could read both the username and password. ... ASP.NET makes it relatively easy to impersonate the logged in user. ...
    (microsoft.public.dotnet.languages.csharp)