Security: Best practices for allowing admins to be other users

Question

We have a private web platform where we have thousands of users and an Admin account. We want to be able to log in as the admin, bring up our list of users, click a "Log in as user" and then become that user. This is to be able to replicate and diagnose bugs they find that we are unable to produce in our controlled local environments. I've created an implementation of this that is multi-layered:

1. At the browser, the app will now attach a header containing the spoofed user's id.

2. The server will authenticate the user on all requests as usual, but if the user is an Admin and the header is present, it will respond as though the spoofed user had made the request, not the admin itself.

Pretty simple, but as with anything security related, I'm weary. Can you please recommend good reading about this type of topic (or give feedback yourself)? I've been Googling trying to find white papers, books, any thorough discussion of things to keep in mind with this type of functionality being added to a system, but I'm coming up empty as I may not be using the correct vocabulary. Much appreciated!

Answer 1

What you want to do is called User Impersonation. It is best to reuse as much as possible if your framework has such functionality (IIS for instance).

Beside the security implications one key element is traceability: you must ensure that all activity done on behalf of the user is traced in such a way that the administrator cannot modify it (by sending it to a remote log management server for instance). You may also want to check what user agreement is required in the specific case of your application.