Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
User session Ghosting / Spoofing
  • Im trying to create an admin functionality to impersonate a user, but im having problems deciding if I should avoid using the user_hash, creating a impersonate_hash.

    What would be the best approach to do so?
  • If you're using Auth, you don't need to do anything, you can Auth::force_login() to create a login session as any given user id.
  • I tried that but when the user loges in pops out the administrator and vice versa, that causes to generate a new user_hash there fore close other user session.
  • HarroHarro
    Accepted Answer
    If you have disabled multiple user logins, that is indeed the case.

    You can control that behaviour in the simpleauth or ormauth config file in app/config, by changing

    'multiple_logins' => false


    'multiple_logins' => true
  • that did the trick, thank you for your quick response.
  • Sorry for the double post, but what if i don't want to allow multi session?

    Is there another way to do this with out recurring to multi session configuration.
  • Not with the standard codebase. Are you using Simpleauth or Ormauth?
  • So I would have to remove the standard used?
    Currently using Ormauth
  • No, you can easily extend/override the class, check

    Either overload the force_login() method, or create a second method that allows you to do what you want. All you need to do is not generate a new login hash, but fetch the existing login hash, and store that in the session instead.

    Only downside with that method is that if the original user logs out, and logs in again, a new login hash will be generated, which will cause your administrator to be thrown out. If you want to deal with that too, a more drastic change is needed.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion