Impersonate plugin for CakePHP 3

Installs: 4 002

Dependents: 0

Suggesters: 0

Security: 0

Stars: 7

Watchers: 6

Forks: 3

Open Issues: 1


4.0.0-beta1 2020-01-07 20:54 UTC

This package is auto-updated.

Last update: 2024-07-08 11:33:55 UTC


CakeImpersonate Plugin

Build Status Coverage Status Latest Stable Version Minimum PHP Version License Total Downloads

Impersonate Component

A component that stores the current authentication session and creates new session for impersonating Users. User can revert back to original authentication sessions without the need to re-login.


Always double check that an attacker cannot "spoof" other users in the controller actions. To prevent hijacking of users accounts that the current request User shouldn't/wouldn't have normal access to. You should enable CsfrComponent and SecurityComponent in your Controller when loading this component.

This Plugin does circumvent default authentication mechanisms


  1. CakePHP 3.7 and above.


composer require jomweb/cake-impersonate:"^3.0"

Plugin Load

Open \src\Application.php add


to your bootstrap() method or call bin/cake plugin load CakeImpersonate

Component Load

Load the component from controller


Configure Session Key

Open configure\app.php and add

'Impersonate' => [
    'sessionKey' => 'OriginalAuth'

to the return []; or use Configure::write('Impersonate.sessionKey', 'OriginalAuth'); when loading the component.


Impersonate user

This requires the request to be a POST, PUT, DELETE so it can be protected by SecurityComponent and CsrfComponent


Check current user is impersonated


Logout from impersonating