Cover of the book Symfony 5: The Fast Track

Symfony 5: The Fast Track is the best book to learn modern Symfony development, from zero to production. +300 pages in full color showing how to combine Symfony with Docker, APIs, queues & async tasks, Webpack, Single-Page Applications, etc.

Buy printed version
Buy PDF version
  1. Home
  2. Documentation
  3. Security
  4. How to Impersonate a User
WARNING: You are browsing the documentation for Symfony 3.1 which is not maintained anymore. Consider upgrading your projects to Symfony 5.1.

How to Impersonate a User

3.1 version
Maintained
3.4 4.4 5.1 current 5.2 master
Unmaintained
2.7 2.8 3.0 3.2 3.3 4.0 4.1 4.2 4.3 5.0

How to Impersonate a User

Sometimes, it’s useful to be able to switch from one user to another without having to log out and log in again (for instance when you are debugging or trying to understand a bug a user sees that you can’t reproduce).

Caution

User impersonation is not compatible with pre authenticated firewalls. The reason is that impersonation requires the authentication state to be maintained server-side, but pre-authenticated information (SSL_CLIENT_S_DN_Email, REMOTE_USER or other) is sent in each request.

Impersonating the user can be easily done by activating the switch_user firewall listener:

  • YAML
    1
2
3
4
5
6
7
8
    # app/config/security.yml
security:
    # ...

    firewalls:
        main:
            # ...
            switch_user: true
  • XML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
    <!-- app/config/security.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        http://symfony.com/schema/dic/services/services-1.0.xsd">

    <config>
        <!-- ... -->

        <firewall name="main">
            <!-- ... -->
            <switch-user />
        </firewall>
    </config>
</srv:container>
  • PHP
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
    // app/config/security.php
$container->loadFromExtension('security', array(
    // ...

    'firewalls' => array(
        'main'=> array(
            // ...
            'switch_user' => true,
        ),
    ),
));

To switch to another user, just add a query string with the _switch_user parameter and the username as the value to the current URL:

1
http://example.com/somewhere?_switch_user=thomas

To switch back to the original user, use the special _exit username:

1
http://example.com/somewhere?_switch_user=_exit

During impersonation, the user is provided with a special role called ROLE_PREVIOUS_ADMIN. In a template, for instance, this role can be used to show a link to exit impersonation:

  • Twig
    1
2
3
    {% if is_granted('ROLE_PREVIOUS_ADMIN') %}
    <a href="{{ path('homepage', {'_switch_user': '_exit'}) }}">Exit impersonation</a>
{% endif %}
  • PHP
    1
2
3
4
5
6
7
    <?php if ($view['security']->isGranted('ROLE_PREVIOUS_ADMIN')): ?>
    <a href="<?php echo $view['router']->path('homepage', array(
        '_switch_user' => '_exit',
    ) ?>">
        Exit impersonation
    </a>
<?php endif ?>

In some cases you may need to get the object that represents the impersonating user rather than the impersonated user. Use the following snippet to iterate over the user’s roles until you find one that a SwitchUserRole object:

use Symfony\Component\Security\Core\Role\SwitchUserRole;

$authChecker = $this->get('security.authorization_checker');
$tokenStorage = $this->get('security.token_storage');

if ($authChecker->isGranted('ROLE_PREVIOUS_ADMIN')) {
    foreach ($tokenStorage->getToken()->getRoles() as $role) {
        if ($role instanceof SwitchUserRole) {
            $impersonatingUser = $role->getSource()->getUser();
            break;
        }
    }
}

Of course, this feature needs to be made available to a small group of users. By default, access is restricted to users having the ROLE_ALLOWED_TO_SWITCH role. The name of this role can be modified via the role setting. For extra security, you can also change the query parameter name via the parameter setting:

  • YAML
    1
2
3
4
5
6
7
8
    # app/config/security.yml
security:
    # ...

    firewalls:
        main:
            # ...
            switch_user: { role: ROLE_ADMIN, parameter: _want_to_be_this_user }
  • XML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
    <!-- app/config/security.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        http://symfony.com/schema/dic/services/services-1.0.xsd">
    <config>
        <!-- ... -->

        <firewall name="main">
            <!-- ... -->
            <switch-user role="ROLE_ADMIN" parameter="_want_to_be_this_user" />
        </firewall>
    </config>
</srv:container>
  • PHP
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
    // app/config/security.php
$container->loadFromExtension('security', array(
    // ...

    'firewalls' => array(
        'main'=> array(
            // ...
            'switch_user' => array(
                'role' => 'ROLE_ADMIN',
                'parameter' => '_want_to_be_this_user',
            ),
        ),
    ),
));

Events

The firewall dispatches the security.switch_user event right after the impersonation is completed. The Symfony\Component\Security\Http\Event\SwitchUserEvent is passed to the listener, and you can use this to get the user that you are now impersonating.

The Making the Locale “Sticky” during a User’s Session article does not update the locale when you impersonate a user. The following code sample will show how to change the sticky locale:

  • YAML
    1
2
3
4
5
6
    # app/config/services.yml
services:
    app.switch_user_listener:
        class: AppBundle\EventListener\SwitchUserListener
        tags:
            - { name: kernel.event_listener, event: security.switch_user, method: onSwitchUser }
  • XML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
    <!-- app/config/services.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<container xmlns="http://symfony.com/schema/dic/services"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        http://symfony.com/schema/dic/services/services-1.0.xsd"
>
    <services>
        <service id="app.switch_user_listener"
            class="AppBundle\EventListener\SwitchUserListener"
        >
            <tag name="kernel.event_listener"
                event="security.switch_user"
                method="onSwitchUser"
            />
        </service>
    </services>
</container>
  • PHP
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    // app/config/services.php
use AppBundle\EventListener\SwitchUserListener;

$container
    ->register('app.switch_user_listener', SwitchUserListener::class)
    ->addTag('kernel.event_listener', array(
        'event' => 'security.switch_user',
        'method' => 'onSwitchUser'
    ))
;

Caution

The listener implementation assumes your User entity has a getLocale() method.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
// src/AppBundle/EventListener/SwitchUserListener.php
namespace AppBundle\EventListener;

use Symfony\Component\Security\Http\Event\SwitchUserEvent;

class SwitchUserListener
{
    public function onSwitchUser(SwitchUserEvent $event)
    {
        $event->getRequest()->getSession()->set(
            '_locale',
            $event->getTargetUser()->getLocale()
        );
    }
}

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.