Debugging is the mandatory part of the development process. Solving the real-time issues required developers to access the user account data. Property designed applications do not store the passwords in the clear format in the database and therefore you may have a hard time impersonating users.

Developers can override the user login mechanism and either ignore the entered password or implement a master password in the system.

Eliminate Password On Local Host

One simple technique is to allow the app to ignore the password when an application runs on the localhost address. The following code allows signing into the application with the admin and offline1 user accounts while ignoring the password. This will be possible only if the request is received on the localhost address.

1234567891011121314151617Namespace MyCompany.Services

    Partial Public Class ApplicationServices
        Public Overrides Function UserLogin(username As String, password As String, createPersistentCookie As Boolean) As Boolean
            If (HttpContext.Current.Request.IsLocal) Then
                If (username = "admin") Then
                    Return True
                End If
                If (username = "offline1") Then
                    Return True
                End If
            End If
            Return MyBase.UserLogin(username, password, createPersistentCookie)
        End Function
    End Class

End Namespace

Implement Master Password

The following code will allow the login into any user account if the password has a specific value. In other words, the secret master phrase will let the user into the application.

123456789101112Namespace MyCompany.Services

    Partial Public Class ApplicationServices
        Public Overrides Function UserLogin(username As String, password As String, createPersistentCookie As Boolean) As Boolean
            If (password = "SecretMasterPassword") Then
                Return True
            End If
            Return MyBase.UserLogin(username, password, createPersistentCookie)
        End Function
    End Class

End Namespace

Be Careful!

Both techniques can pose a potential problem in the application with the high security requirements. Make sure that the techniques described above are reviewed by the stakeholders for potential abuse.

The master password technique can be enhanced with the explicit account access grant by the application users. A table with the UserName and account access ExpirationDate columns can be looked up when the master password is entered. If there is a row there and the expiration date is still in the future, then the master password will “unlock” the account. End users must be provided with a simple form where they can grant access to their account for a specific duration of time. The form submission by the user will create a row in the Account Access table. Optionally the one-time master password can be generated and emailed to the support personnel.