"Session bleeding" when using 'Sign in as user'.
Permalink
Not sure exactly what to call this issue so here is the scenario we have come across with a client:
Some context: a client site has a series of custom single pages strung together that allow a user to add/edit various details in a data collecting wizard-like setup. Some of those detail edits update custom attributes for the user themselves.
Scenario: with that in mind, when an admin (non super) with permissions to 'Sing in as user' from the Dashboard signs in as another user (non admin) to edit details on their behalf, the C5 edit bar doesn't disappear and any edits made using the wizard seem to be made against the admin's C5 account instead of the non-admin account they signed into. What's more, the data that is displayed in the fields is pulled from the non-admin user's account when going through the wizard process, making it seem like all is good until the admin signs out and back in as themself. The non-admin user's data seems to be unaffected and remains what it was before the edit's.
We're investigating the possibility that a corporate proxy setup on the client's end, possibly combined with the use of SSL may be wreaking havoc with the C5 session somehow.
I'm wondering if anyone has come across this kind of scenario in the past and maybe has some insight into what the problem could be and possibly how it can be corrected. The client is freaking out because of the possibility that personal data may be leaked to users that shouldn't have access.
The install is the latest version of the 5.6 line.
Thanks in advance!
Some context: a client site has a series of custom single pages strung together that allow a user to add/edit various details in a data collecting wizard-like setup. Some of those detail edits update custom attributes for the user themselves.
Scenario: with that in mind, when an admin (non super) with permissions to 'Sing in as user' from the Dashboard signs in as another user (non admin) to edit details on their behalf, the C5 edit bar doesn't disappear and any edits made using the wizard seem to be made against the admin's C5 account instead of the non-admin account they signed into. What's more, the data that is displayed in the fields is pulled from the non-admin user's account when going through the wizard process, making it seem like all is good until the admin signs out and back in as themself. The non-admin user's data seems to be unaffected and remains what it was before the edit's.
We're investigating the possibility that a corporate proxy setup on the client's end, possibly combined with the use of SSL may be wreaking havoc with the C5 session somehow.
I'm wondering if anyone has come across this kind of scenario in the past and maybe has some insight into what the problem could be and possibly how it can be corrected. The client is freaking out because of the possibility that personal data may be leaked to users that shouldn't have access.
The install is the latest version of the 5.6 line.
Thanks in advance!
