Admin access to edit profile of any user - Probem with session

Thursday, July 10, 2014

I have made a PHP application which will be used by many users. When a user logins, i create a session and keep the user id and some other details in the session. There are some ajax requests when the user edits his profile. So in no way i am exposing the user id. But i always refer to the session. Even when the user saves his profile, the controller gets the id from session and then passes it to the model.

Now there is an admin, who should be able to view/edit any profile. This is done. I have a admin page with a user table. When he clicks on any player, it goes to another controller, which creates the session for that user and then admin can edit the profile. Any requests that go from the admin page, the session is first erased keeping the admin variable active and then the user session is appended.

Problem: When the admin tries to view multiple profiles at once, he can do that. But when the admin tries to edit multiple profiles at the same time(open new browser tabs for each user), it fails because the the last tab what he opens sets the new session for that particular user.

How can I get over this scenario ? What options do i have ? Is it possible ?

I don't want to append user'ids on all urls. They are not safe, especially for urls which do update/delete.