Need to give Admin the ability to switch users in a php/mysql/bootstrap members portal

General PHP Help
#1

Greetings.
I have searched high and low and can’t seem to find a lesson/tutorial/post on the following procedure.

I have programmed a members backup using php, mysql, bootstrap and the SmartAdmin template from WrapBootStrap.

Everything is awesome, but when we need to get into one of our users backend, either to replicate a problem, or to view one of their invoices, or to test a new user only feature - we have to get that users passwords from them, then log out as admin and log in as that user.

There is a wordpress “switch user” plugin, so I know it is possible to create something with which an admin (there are two of us), can click a button to switch our access (Session) to that particular user, and then have a link to switch back again to our own admin login (Session).

Can anyone give me a hint on where to look (lesson, video, tutorial, reference material) for how to write this particular code?

I believe what I want to do is to change the Session (clear my admin session, lock in that users credentials as a session, then revert back)?

Any point in the right direction would be much appreciated.

#2

First, you should never test using your live site. This causes so many possible security issues!
Normally, you either create a second site or use WAMP and just test on a local system.
In the local version, you can bypass password checking since it will only run on the local lan.

In that way, you can test all your new code and once it is working as you wish, you can upload copies to the
live server site.

Another comment on this bad practice. You are NOT supposed to know a member’s password. It totally breaks the security and the reason for using passwords in the first place. I guess you could create a testing member account and use that. You could set extra code that adjusts if that one test account is logged in so you can see the new code working. If you need the test account to be a new member, just set the flag for it in the database or delete it and recreate it again when needed. But, again, not a good practice to test on a live site.

UserID and Password security forces a web browser to only have one session open at any one time for one site. You could use two different browsers to log into using a different user account. The session is kept inside the browser, so it might work for you. But, you would not want to use a live member account.

Not sure if that is what you are asking for. But, think out the logic of it. And, ask any further questions…

1 Like
#3

You need to think of what actually defines a logged in user. Usually this is just some stored to the $_SESSION array in PHP… Ie

$_SESSION = [ 'userId' => 1, 'admin' => 'true' ];

So if you want to replicate a user just create a page that accepts a user id (and whatever other data you need, and log in that user

$_SESSION = [ 'userId' => $userId, 'admin' => 'false', 'canSwitchTo' => 1 ];

added a canSwitchTo value so you have something to check for later when conditionally showing the switch back to admin button

<?php if ($user->canSwitchTo) : ?>
  <a href="/user/switch?id=<?= $user->canSwitchTo ?>">Switch back to admin</a>
<?php endif; ?>

The switch page obviously need to check if the user is allowed to switch, ie either by being admin or having “canSwitchTo”

Sponsor our Newsletter | Privacy Policy | Terms of Service