Login for webapp, needs to be available for support staff

Posted by Christian W on Stack Overflow See other posts from Stack Overflow or by Christian W
Published on 2010-03-09T10:19:51Z Indexed on 2010/03/09 10:36 UTC
Read the original article Hit count: 324

Filed under:
|
|

I know the title is a little off, but it's hard to explain the problem in a short sentence.

I am the administrator of a legacy webapp that lets users create surveys and distribute them to a group of people. We have two kinds of "users".

  1. Authorized licenseholders which does all setup themselves.
  2. Clients who just want to have a survey run, but still need a user (because the webapp has "User" as the top entity in a surveyenvironment.)

Sometimes users in #1 want us to do the setup for them (which we offer to do). This means that we have to login as them. This is also how we do support: we login as them and then follow them along, guiding them.

Which brings me to my dilemma. Currently our security is below par. But this makes it simple for us to do support. We do want to increase our security, and one thing I have been considering is just doing the normal hashing to DB, however, we need to be able to login as a customer, and if they change their password without telling us, and the password is hashed in the db, we have no way of knowing it.

So I was thinking of some kind of twoway encryption for the passwords. Either that or some kind of master password.

Any suggestions?

(The platform is classic ASP... I said it was legacy...)

© Stack Overflow or respective owner

Related posts about asp

Related posts about authentication