R – How to support a web app with hashed or encrypted passwords

credentials, passwords, security, web-applications

When supporting a new web app in an enterprise environment, it is often necessary to log in as a specific user in order to diagnose a real or perceived problem they are having. Two opposing issues apply here:

  1. Best practice is to use hashed or encrypted passwords, not clear text. Sometimes, there is a third-party SSO (single sign-on) in the middle. There is no way to retrieve the user's password. Unless the user provides it (not encouraged), there is no way to log in as that user.

  2. Many web app's have personalization and complex authorization. Different users have different roles (admin, manager, user) with different permissions. Sometimes users can only see their data — their customers or tasks. Some users have read-only access, while others can edit. So, each user's view of the web app is unique.

Assume that in an enterprise environment, it isn't feasible to go to the user's desk, or to connect directly to their machine.

How do you handle this situation?

Edit: I want to reiterate that in a large financial institution or typical Fortune 500 company with hundreds of thousands of employees all of the country, and around the world, it is not possible for a mere developer in some IT unit to be able to directly access a user's machine. Some of those are public-facing web apps used by customers (such as online banking and stock trading). And, many of those are intranet applications rely on Active Directory or an SSO, meaning that user credentials are the same for many applications. I do thank you all for your suggestions; some may be highly useful in other kinds of environments.

Best Solution

A number of these ideas inconvenience the user, either by forcing them to change their password, or by occupying their desktop for your debugging session.

Markc's idea is the best: augment your authentication logic to allow superusers to log in as a particular user by supplying not the user's credentials, but the user's name plus their superuser credentials.

I've done it like this in the past (pseudo-ish python):

if is_user_authenticated(username, userpassword):    login the userelse if ':' in userpassword:    supername, superpassword = userpassword.split(':')    if is_superuser_authenticated(supername, superpassword):        login the user

In other words, if the username and password don't authenticate, if the password has a colon, then it's actually the admin username and admin password joined by a colon, so login as the username if they are the right admin username and password.

This means you can login as the user without knowing their secrets, and without inconveniencing them.