resources

Hunting down issues on websites for logged-in users can be difficult, or at the least time-consuming when you can't see what users are referring to when you are not logged in as them. Terminology that is not shared also adds to confusion.

Now, you can easily setup a proxy login on your site and login as one of your site's users.

How does it work?

The implementation focuses on security, ease of use, and flexibility of setup for different sites, in that order.

A Site Administrator has three options to select:

1. A group of users that are allowed to proxy login to another user's account. This could be an existing group (eg Administrators), or a special group setup on site, eg  'tech support'.
2. A group that contains all users that may require proxy login support. This again could be a default group such as Users, or a special group you setup on your site eg 'support requested' group that you move users into on a need basis.
3. Whether to allow the 'tech support' to directly login or require them to supply their usual site password, as an added security measure.

Once these are setup, proxy login is done from Roles Administration's user listing. Any users that are able to proxy login will see a special 'login as this user' icon and link, next to the relevant user.

Requirements and assumptions

• Xarigami Cumulus Core distribution or higher release is required.
• The process assumes the proxy login group, the 'tech support', to have at least 'Edit Role' level privileges.
• A nominated user must already be logged in at your site, to proxy login to another user account.
• There are some users and groups you cannot proxy login to, including the default Administrators group, and reserved roles such as Myself and Anonymous.

Setup steps

1. As Administrator, go to Roles - Modify Config and select the General tab.
2. Select a 'proxy login group' from the drop down selector.  Create a new group if necessary first. These users will be able to login to another specified user's account without having to know their password or change it.
3. Select a 'proxy candidate group' from the drop down selector.  Create a new group if necessary first.
4. If you want to doubly secure the login process, check the box to require the person doing the proxy login to supply their own password first.

Usage

1. Browse to Roles - Groups and Users, and list the group containing the users you want to login as (the proxy candidate group)
2. You should see a 'login as this user' icon and link next to each prospective user that is available for proxy login. If you are not privileged to do the proxy login, you will not see the special icon and link. Similarly, if the user is not in the proxy candidate group, no 'login as' link will appear.
3. Click the link to login. If you have elected to require confirmation by password, you will be prompted to supply your own site password prior to being automatically logged in as the user.

The code

In this case we assume that no one can login as another user unless each are in specifically nominated groups. The code does the following checks:

• Checks to see if a user has correct privileges, is in the correct group and the facility is activated, before allowing them to become a 'proxy login user,' and logging in to another users account.
• When the 'login as this user' link is clicked, if password confirmation is chosen, this authentication takes place; if it fails, the user is returned to the user listing page with an appropriate error message.
• Once through the authentication, the code checks to see if the proxy login candidate is indeed in the correct group and a potential proxy login candidate.
• The login candidate does not have their password changed and the person doing the proxy login does not know the candidate's password nor needs to know.
• Once these criteria are passed by each of the two parties, the login process is programatically started. With a small inclusion in the login code and additional checks for proxy login authority, the proxy login user is logged into the candidate's account.

The candidate and the proxy login user can both be logged in at the same time which helps when discussing support issues.