This repository contains a Login as Customer module that allows authorized Admin users to log in as customers from the Admin Panel with multi-website support and full audit traceability.
- Multi-Website Support - Login as customer on any website (Ashokdubariya, Coverion, etc.)
- Smart Button Detection - Automatically shows single button or dropdown based on available websites
- Grid & Edit Page Access - Login from customer grid or edit page
- Cryptographically Secure - Token-based authentication with SHA-256 hashing
- Complete Audit Trail - Track every login attempt with full details
- ACL Protected - Granular permission control
- One-Time Tokens - Prevents replay attacks
- Configurable Expiry - Default 5-minute token lifetime
- Cryptographically Secure Tokens - Uses
random_bytes(32)for token generation - SHA-256 Hash Storage - Tokens stored as hashes, never plaintext
- Single-Use Tokens - Automatically invalidated after first use
- Configurable Expiry - Default 5 minutes, prevents stale tokens
- ACL Protected - Dual permissions for login action and audit access
- Complete Audit Trail - Logs every attempt with admin/customer/IP/timestamp
- CSRF Protection - Leverages Magento's form key validation
- No Password Access - Bypasses password, uses session-based login
- IP Tracking - Records admin IP for forensics
- Replay Prevention - Hash comparison prevents token reuse
- Magento Open Source 2.4.4+
- PHP 8.1+
- Module Name:
Ashokdubariya_LoginAsCustomer - Package Name:
ashokdubariya/module-login-as-customer - Module Type: Magento 2 Custom Module
- License: MIT
composer require ashokdubariya/module-login-as-customer
php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento setup:static-content:deploy -f
php bin/magento cache:flush- Copy the module to Magento:
mkdir -p app/code/Ashokdubariya/LoginAsCustomer
# Copy module files to app/code/Ashokdubariya/LoginAsCustomer- Run Magento commands:
php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento setup:static-content:deploy -f
php bin/magento cache:flushNavigate to: Stores > Configuration > Ashokdubariya > Login as Customer
| Setting | Description | Default |
|---|---|---|
| Enable Module | Enable/Disable functionality | Yes |
| Token Lifetime (minutes) | How long token remains valid | 5 |
| Redirect Page After Login | URL path after login | customer/account |
| Enable Audit Logging | Log all attempts | Yes |
- Navigate to: System > Permissions > User Roles
- Edit the desired role
- Under Role Resources, expand Customers
- Check:
- Login as Customer > Perform Login as Customer Action
- Login as Customer > View Audit Log
- Under Stores > Configuration, check:
- Login as Customer Configuration
- Save Role
Single Website Customer:
- Navigate to: Customers > All Customers
- Locate customer row
- Click Select in Actions dropdown
- Click Login as Customer
- New window opens with customer logged in
Multi-Website Customer:
- Navigate to: Customers > All Customers
- Locate customer row
- Click Select in Actions dropdown
- You'll see multiple options:
- Login as Customer (Default)
- Login as Customer (Wholesale)
- etc.
- Click the desired website option
- New window opens with customer logged into that website
Single Website Customer:
- Navigate to: Customers > All Customers
- Click Edit on a customer
- Click Login as Customer button in header
- New window opens with customer logged in
Multi-Website Customer:
- Navigate to: Customers > All Customers
- Click Edit on a customer
- Click Login as Customer dropdown button in header
- Select the desired website from dropdown:
- Default
- Wholesale
- etc.
- New window opens with customer logged into selected website
The module intelligently detects available websites:
- Global Customer Sharing (scope = 0): Shows all websites
- Per-Website Sharing (scope = 1): Shows only customer's assigned website
- Single Website: Simple button/action
- Multiple Websites: Dropdown button/multiple actions
- Navigate to: Customers > Login as Customer
- View grid with columns:
- Log ID
- Admin ID / Username
- Customer ID / Email
- IP Address
- Status (Pending/Success/Expired/Failed)
- Store View
- Created At / Expires At / Used At
- Use filters to search by admin, customer, status, date range
- Token Generation: Cryptographically secure
random_bytes(32)= 64 hex chars - Token Storage: Store SHA-256 hash only (64 chars), original token discarded after URL generation
- Single-Use: Token status changed from
pending→successafter first use, subsequent attempts rejected - Expiration: Configurable TTL (default 5 min), server-side timestamp validation
- Audit Logging: Every attempt logged with:
- Admin ID/username
- Customer ID/email
- IP address
- Timestamp
- Outcome (success/failed/expired)
- ACL Enforcement: Separate permissions for:
- Performing login action
- Viewing audit log
- Modifying configuration
- CSRF Protection: Magento's built-in form key validation on admin controllers
- Session Regeneration: Customer session ID regenerated after login
- No Password Exposure: Customer password hash never accessed
- No customer password access
- No plaintext token storage
- No unlimited token lifetime
- No token reuse
- No bypass of ACL permissions
- No modification of customer data during login
- Detects customer's primary website ID
- Checks customer sharing configuration
- Retrieves all accessible websites
- Generates appropriate UI (single/multiple actions)
- Passes
website_idparameter to controller - Controller selects correct store based on website
- Redirects to appropriate website base URL
- Source: GitHub Repository
- Issues: GitHub Issues
This project is licensed under the MIT License - see the LICENSE file for details.