We have a cloud based asp.net web application (asp.net web form)which is for dry cleaners , and our customers have there own userid and password to login .So to give them customer support we get there system access through teamviewer and then check the problem . But now we are trying to make a tool so we can directly login our clients account without asking there userid and password and check there problems. So i need some guidance to where to start as i am a trainee right now.
Asked
Active
Viewed 1,102 times
1
-
Question is vague as there is no mention that u using asp.net web forms or asp.net mvc? also it is not clear how are you logging them directly without letting them login in i.e. are you using some direct url schedule to login (something like verify your email etc) or something else? – vibs2006 Sep 05 '17 at 06:30
-
we are using asp.net webform and in login process we match the encrypted password with the value present in database and then redirect to the url for clients account @vibs2006 – Rachit Shah Sep 05 '17 at 06:40
-
Without password you can't login to the app. If you can, then this is a serious security flaw. The user manager won't allow you to log in to the application for a particular user if you don't supply the password. – It's a trap Sep 05 '17 at 06:40
-
there are some software available where admin can login in to user account @It'satrap – Rachit Shah Sep 05 '17 at 06:43
-
then why don't you use such softwares. Anyway i would like to know some examples of such softwares – It's a trap Sep 05 '17 at 06:50
-
what i wanted to say is that many softwares give this facilty to login in users account eg: JIRA , and the feature we want to introduce in our application too. @It'satrap – Rachit Shah Sep 05 '17 at 07:19
-
In as asp.net application you can't really do that until you outsource authentication to such third party tools – It's a trap Sep 05 '17 at 07:36
-
Open ID Connect authentication is one type of authentication which will allow you to achieve what i understand you want. It just uses a bearer token. Once obtained, the same token can be used by any origin and the app will believe that it's the same user for which the token was issued. But here also you will have to get hold of the access token from the customer. He can do it without sharing his password and won't need to reset it later also as the token will expire in about an hour. – It's a trap Sep 05 '17 at 07:44
1 Answers
2
A lot of applications provide a "Login as .." feature. There is usually a list of all users and when you select one of them you see their account details. Add a function (e.g. a Button or something) to those details which allows a admin to log in as the other user.
I recommend to keep logged in as admin/supervisor/... and just add the "hijacked" user somehow to the session.
This approach probably requires to rewrite the session management but enables you to log which admin logged in as which user and you could also log all the actions the admin did while incorporating the user. Adding logs might be important. Privacy might be a concern as well. This question is not something you should discuss on SO, but with your company as it involves company policies, etc. Also We know nothing about your code, your application and how it works.
Peanut
- 3,753
- 3
- 31
- 45
-
user password is one way encrypted , so how we can access there account , can you explain it (sorry i do not have much experiance in web applications). – Rachit Shah Sep 05 '17 at 06:21
-
1If logged in as administrator, rewrite the code (make some backdoor for admin only) so you can impersonate without using a password. If done well (securitywise), this is acceptable but be very conscieus about it – Verthosa Sep 05 '17 at 07:30