This plugin for the Joomla CMS allows selected users (usually administrators) to log into other registered user accounts using their own passwords.
Compatible with Joomla versions 1.5, 2.5 and 3.
This plugin allows administrator users to log into the front end of their site as another registered user. Optionally this facility can be restricted to selected users only, or all users in a selected master user group (usually administrators) can be allowed to do this.
Since users use their own passwords these are encrypted and stored securely in the database as normal, so this should not compromise the security of your site. Additionally you can restrict the facility to selected IP addresses only.
This plugin works with the standard Joomla login and extensions that use this, and will also work with Community Builder if the Login Field Type is set to 'Username, email or enabled CMS authentication plugins'.
Uses the Joomla! updater
Usage - Easy Setup
Upload and install using the Joomla installer. Enable it in the plugin manager. Then click on the plugin name to view its options. Either set the 'enable by group' parameters to yes, or list the ids of selected administrators as a comma separated list in the 'Master User Ids' input box. If you wish to restrict by IP address then list allowed IP addresses as a comma separated list. Save the options.
Once enabled, the administrator can log in as any registered user by using that user's username and their own administrator password.
Clicking on the advanced tab will bring up the advanced plugin options. The 'restricted user group option' allows you to bar master users from logging into user accounts belonging to the selected groups. By default the plugin will use groups 7 and 8, the administrator and super-administator groups. Unless you have been messing with the admin groups on your site you will not normally need to set this option explicitly, but you can if you need to.
The 'Master User Groups' option allows you to select the groups to which master users must belong. By default the plugin will use groups 7 and 8 for this setting. You may want to think about explcitly creating a separate master user group to use instead - read the discussion on security below for the reasoning behind this.
It should be possible to use this plugin without compromising the security of your site, however it is worth thinking about the security aspects.
Firstly, because the master user simply uses their own password which is stored in encrypted form in the Joomla database, this should not compromise your site security.
However 'brute force' attackes against Joomla sites are becoming more common. This is where repeated login attempts are made using random combinations of username and password - when the attacker successfully logs in they know they have succeeded. Usually the target of such attacks will be to obtain access to an administrator account. If you have a lot of registered users the plugin will somewhat increase your site susceptibility to such attacks, because the attacker will only need to guess the username of any registered user combined with your administrator password rather than an administrator username as well as password. There are several ways to protect your site from exploiting the plugin in this way.
- Firstly, you can disable the plugin in the Joomla plugin manager when you are not using it. If you only need to use the plugin occasionally this is both simple and effective
- In addition, if you normally access your site from the same IP address you can use the plugin options to restrict logins to this IP address
- Rather than letting administrators act as master users you can explicitly create your own master user group with no administator privileges - then if the master user account is compromised this will not give the attacker any admin access to your site.
The plugin sets a session variable when a user logs in as a master user, which can be picked up by other extensions. See this forum topic for further information.