I have couple of queries related to impersonation:
a. what is suggested way to implement impersonation considering the security aspects of the application.
currently in my setup once the impersonator is finished with work he clicks on a link which ends his impersonation and the next page gives him an option to perform the impersonation again(basically i am redirecting back to the same page which impersonator accessed at first to start the impersonation). Is it the right way of implementing the impersonation to give the impersonator the option to perform the impersonation again or is it better to end the session for the impersonator.
b. In my setup once the impersonator performs login,he is provided with an option to enter the id of the user to impersonate .once impersonator enters the impersonate id and click on submit you have the session for impersonate which allows the impersonator to test the application and also gives the impersonator an option to access other applications which impersonate has access to. How to restrict this such that the impersonator can only access the particular application which can be impersonated and not the other applications.
c. Is it necessary to protect the page ex. endimp.fcc which is used for ending the impersonation.
Ujwol
Thanks,
Anirudh.