Web Applications: Allowing super users to impersonate other users - Is there a design pattern for this?

Question

• In my web application, I'd like to allow super users to impersonate other users.

My Question:

Is there a generally accepted design pattern that I could use to make this happen?

1. Generally speaking, I can imagine that I'll need to keep track of the current user and the impersonated user inside of the session.

2. But you can understand that I'd like to minimize the complexity attached to this change.

3. Incidentally, my application is an ASP.NET MVC 2 application, so if I could take advantage of any existing infrastructure, that would be great.

EDIT: I'm using Forms Authentication.

EDIT: I'll also need to track the fact that a super user is acting on behalf of another user. I'll need to do this for two reasons:

1. Logging should log the fact that a super user acted on behalf of another user.
2. It's conceivable that the super user would want to return to the impersonation screen to "switch context" and impersonate another user.

EDIT: @Jordão proposed a mostly workable solution. My only concern is the following - If the super user (while impersonating another user) navigates to the home screen, and the top of the screen says 'Hello [User]', I want it to say 'Hello [Impersonated User]' as opposed to 'Hello [Super User]'. And I'm afraid that @Jordão's solution would make the implementation of this screen and other screens with similar requirements more complex.

Answer 1

Don't impersonate other users, but give the super users enough authorizations and exclusive interfaces so that they can act on the other users' data.

If you then have logging or auditing data, you know which user (normal or super) acted on the data.

Answer 2

[Authorize(Roles = "Admin")]
public ActionResult Impersonate(string username)
{
    FormsAuthentication.SignOut();
    var cookie = FormsAuthentication.GetAuthCookie(username, false);
    Response.AppendCookie(cookie);
    return RedirectToAction("index");
}