User Story
As a user,
I want to return to my original session immediately after ending an impersonation,
So that I can resume my original session without the friction of logging back in.
Acceptance Criteria
- Preserve Original Session: When starting impersonation, the admin’s original
authula.session_token must be preserved (e.g., moved to authula.session_token.original).
- Seamless Restoration: When ending impersonation, the system must restore the original token from the
.original cookie back to the primary session cookie.
- No Re-authentication: The admin should not be redirected to the login page or prompted for credentials upon ending the session.
- Cleanup: The temporary
.original cookie should be cleared once the restoration is successful.
- Persist permissions: User's permissions must be stored within the Actor claims mapping so they aren't locked out from stopping impersonation as the current bug mentioned in the comment below prevents the user from stopping impersonation now as they're completely acting as the impersonatee without any reference to their original permissions.
- Security: Ensure the
.original cookie carries the same HttpOnly, Secure, and SameSite flags as the standard session token to prevent hijacking.
User Story
As a user,
I want to return to my original session immediately after ending an impersonation,
So that I can resume my original session without the friction of logging back in.
Acceptance Criteria
authula.session_tokenmust be preserved (e.g., moved toauthula.session_token.original)..originalcookie back to the primary session cookie..originalcookie should be cleared once the restoration is successful..originalcookie carries the sameHttpOnly,Secure, andSameSiteflags as the standard session token to prevent hijacking.