I am creating an online survey tool.

As an administrator, i would like to see what the users have answered and also be able to answer on their behalf. The system get's a users answers and other information based on his/her username, when they are logged in, using the built in membership provider.

There are currently three roles: Administrator, Moderator and Respondent

If i would like to show my administrator a list of users,

how would it be possible to create a "backdoor" for the administrator, so that he can "log" in as the user, see the users answers etc ? (Just like the user would be able to if he was logged in to his own account).

When answering and retrieving quyestions, the system is bound to `User.Identity.Name

My suggestion on how to solve this:

Currently, when i want to retrive a users answers i use the following code:

Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
var answers = db.Tabelform_Answers.Where(x => x.question_id == model.Question_ID && x.respondent == Firma_ID);

This is because i have a table named Firma, that has a column referencing to a users Name, called CVR_Nummer. I then retrieve all the records in the Tabelform_Answers table, that match question_id and Firma_ID (A users answers for a specific question).

Instead of using `Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;

to retrive the Firma_ID of a given user, i could store it in the Session upon Login. When i want to view a specific users Answers as Administrator, i would then just change Firma_ID in the Session. Changing Firma_ID in the Session would only be allowed through a controller which has the following code:

[Authorize(Roles = "Administrator")]

Also, i would set the Session timeout to be the same as the Authentication timeout.

Can somebody tell me which pros and cons of this solution? Are there any other ways of storing a "global" variable for a Session? (Firma_ID)?

Thanks

If you only need to log in as your users, I went for a ticket-method. I have a special login-page that can take a ticket-id. This ticket is created in the admin-gui when the admin wants to log in as another user. The login-page checks the ticket in the database, logs in the wanted user, and then deletes/marks the ticket as used. As an added security, a ticket is only valid for 10 seconds after creation.

Another option is to make answers from users available from the admin-gui...

also you can do in your log-in script override

so you have at present something like

if user name and password match string then user is logged in and based on this you get user permissions

instead have admin page, where you can select user and then you can apply permissions of the user instead of admin.