Super Login: A Free Joomla Plugin that Allows a Super User to Login as Any User

At itoctopus, we test our clients’ Joomla websites constantly, so much that we have developed Joomla plugins that will help us in the testing. One of the plugins that we have developed and that we constantly use is the Super Login plugin, which allows us to login as any user to the Joomla website with that user’s username and our super user password.

For example, if we have jeff as one username on a certain Joomla website that we manage, and the password for jeff is jeff123, and there is a super user called admin on that same website with admin123 as password, then we can (if we have the Super Login authentication plugin installed and enabled) login as jeff with the following credentials:

Username: jeff
Password: admin123 (instead of jeff123)

What’s interesting is that once we are logged in as jeff using our password, we will have all the rights/privileges for the jeff username, it’s exactly like logging in as jeff (think about it as if jeff has one username and two passwords).

We have developed and maintained this plugin for years now but we have just revamped it for public release, and because we are very generous, we are offering it to our readers for free. It can be downloaded here.

The Super Login plugin is revamped for Joomla 3.x and is built on top of the Authentication core Joomla plugin. Joomla 2.5.x compatibility is possible with little or no modification – we used to use it on Joomla 2.5.x, but we have modified it heavily since (that’s why were not sure if it’ll work or not).

The plugin, for security reasons, will not allow a super user to login as another super user (if you really need to allow this then a quick modification to the code will address this limitation). Additionally, and also for security reasons, the plugin will only check 10 super users for a matching password. So, if you have more than 10 super users, then only the first 10 will be considered (in any case, we don’t think that any Joomla website should have more than 10 users).

The way the plugin works is as follows:

  • It first checks whether the username provided actually exists. If it doesn’t, then the plugin throws an error message and the authentication fails.
  • It then checks if the username belongs to a super user. If it does, then it throws an error message and the authentication fails.

  • It then gets the Group ID for super users (super administrators). Typically their Group Id is 8, but the plugin is intelligent enough to handle any change in that number on heavily modified websites (or in case Joomla decides to assign super users another Group Id).

  • The plugin then grabs a maximum of 10 super users from the #__users table for comparison.

  • It then loops through the super users, until it finds a super user with a matching password. Once it does, it logs the user in with the username entered.

So, is this plugin secure?

We can confirm that it’s very secure. Again, it’s built on top of the Joomla core authentication plugin, which is, undeniably, very secure. Neverthless, it’s important to note that the plugin doesn’t have any DoS protection, which is why we have limited the number of checked super users to 10.

When is this plugin useful?

This plugin is useful when you want, for example, to login to the backend as another user to see what the other user sees and what he can do (after creating that user or after changing the role granted to that user). It’s also useful in the frontend for the very same reasons.

Why is this plugin free?

Well, it’s obvious isn’t it? Because we love Joomla and we love our readers, and we’re doing out best to keep Joomla at the helm with useful, clean, and sophisticated extensions. And, before you ask, it’s really free, there are no hidden links anywhere and you don’t have to buy anything (unless, of course, you want us to support it).

The plugin’s installation is super simple. Just install it from the Extension Manager, and then enable it (make sure that it’s ordered last among enabled authentication plugins). If after installing it and enabling it, the plugin didn’t work for you for some reason, then please contact us, but note that we charge fees for supporting this plugin. Also, last but not least, please keep in mind that this plugin is provided as-is and comes with no guarantees whatsoever, and we can’t be held responsible for any issue, either major or minor, resulting directly or indirectly from the use of this plugin.

No comments yet.

Leave a comment