Debugging is the mandatory part of the development process. Solving the real-time issues required developers to access the user account data. Property designed applications do not store the passwords in the clear format in the database and therefore you may have a hard time impersonating users.
Developers can override the user login mechanism and either ignore the entered password or implement a master password in the system.
Eliminate Password On Local Host
One simple technique is to allow the app to ignore the password when an application runs on the localhost address. The following code allows signing into the application with the admin and offline1 user accounts while ignoring the password. This will be possible only if the request is received on the localhost address.
Visual Basic
1234567891011121314151617Namespace MyCompany.Services
Partial Public Class ApplicationServices
Public Overrides Function UserLogin(username As String, password As String, createPersistentCookie As Boolean) As Boolean
If (HttpContext.Current.Request.IsLocal) Then
If (username = "admin") Then
Return True
End If
If (username = "offline1") Then
Return True
End If
End If
Return MyBase.UserLogin(username, password, createPersistentCookie)
End Function
End Class
End Namespace
Implement Master Password
The following code will allow the login into any user account if the password has a specific value. In other words, the secret master phrase will let the user into the application.
Visual Basic
123456789101112Namespace MyCompany.Services
Partial Public Class ApplicationServices
Public Overrides Function UserLogin(username As String, password As String, createPersistentCookie As Boolean) As Boolean
If (password = "SecretMasterPassword") Then
Return True
End If
Return MyBase.UserLogin(username, password, createPersistentCookie)
End Function
End Class
End Namespace
Be Careful!
Both techniques can pose a potential problem in the application with the high security requirements. Make sure that the techniques described above are reviewed by the stakeholders for potential abuse.
The master password technique can be enhanced with the explicit account access grant by the application users. A table with the UserName and account access ExpirationDate columns can be looked up when the master password is entered. If there is a row there and the expiration date is still in the future, then the master password will “unlock” the account. End users must be provided with a simple form where they can grant access to their account for a specific duration of time. The form submission by the user will create a row in the Account Access table. Optionally the one-time master password can be generated and emailed to the support personnel.