Is it possible for an iframe to have a different session?

Question

I am wanting to build an admin tool where I can "impersonate" users of my site, without having to lose my session as an admin.

I would like to be able to open an iframe that will view the website "as the user", without changing the state of the page that opened the iframe.

Is that possible? Is there a better way to do this?

Answer 1

What language? My answer is based on the assumption that PHP is your chosen language.

Firstly, I would say you have planned your application wrong if session impersonation is the only way you can view your site as another user while still keeping your admin login intact.

One way you could do it, and again this is assuming that you are using PHP as well as the default session management functions within and you do not have a custom session handler would be to load the iframe url with the ?PHPSESSID=sessionidhere parameter.

A better way to do this is to create your site and authenticate users via a user object of sorts and then add some sort of url parameter such as ?userbrowseid=123

Then when you load the page, your code will only check if the parameter exists if you are already logged in as an admin. The page would then overwrite your current user object with the user object of the user with the id 123. Steps should be taken to make sure your session cookies are not overwridden with the impersonated user object. As this would be in an iframe, your site will work as an admin and the iframe will be loaded as the user object.

Answer 2

It's possible, but there's a bit "but" :)

Just a couple options to start with:

1. Use URL-based session tokens (as Java Servlets do when you have cookies disabled)
2. Use different domains for "normal" site and admin interface

iframe itself won't help you much: it will always share its cookies with the browser. So in order to avoid that, you can use either of the above options—but that does not depend on the iframe.