A component that stores the current authentication session and creates new session for impersonating Users. User can revert back to original authentication sessions without the need to re-login.
Always double check that an attacker cannot "spoof" other users in the controller actions. To prevent hijacking of users accounts that the current request User shouldn't/wouldn't have normal access to. You should enable CsfrComponent and SecurityComponent in your Controller when loading this component.
This Plugin does circumvent default authentication mechanisms
- CakePHP 3.7 and above.
composer require jomweb/cake-impersonate:"^3.0"
Open \src\Application.php add
$this->addPlugin('CakeImpersonate');to your bootstrap() method or call bin/cake plugin load CakeImpersonate
Load the component from controller
$this->loadComponent('CakeImpersonate.Impersonate'); Open configure\app.php and add
'Impersonate' => [
'sessionKey' => 'OriginalAuth'
]to the return []; or use Configure::write('Impersonate.sessionKey', 'OriginalAuth'); when loading the component.
This requires the request to be a POST, PUT, DELETE so it can be protected by SecurityComponent and CsrfComponent
$this->Impersonate->login($userIdToImpersonate);$this->Impersonate->isImpersonated();$this->Impersonate->logout();