Does this package work with Laravel 10+? What are the risks of using it with newer Laravel versions?

The package was last updated in 2020 and may not fully support Laravel 10+. Auth contracts and middleware changes in newer Laravel versions could cause compatibility issues. Test thoroughly in a staging environment, especially if using Laravel 9+ or 10, as breaking changes in the auth system may require manual patches.

How do I restrict impersonation to specific roles (e.g., only admins)?

Use Laravel’s built-in gates or policies to check permissions before allowing impersonation. For example, add a `can:impersonate-others` gate in your `AuthServiceProvider` and apply it via middleware: `Route::middleware(['auth', 'can:impersonate-others', 'impersonate'])->group(...);`. This ensures only authorized users can trigger impersonation.

Is there a way to automatically log impersonation actions for audit trails?

The package itself doesn’t include logging, but you can manually log impersonation events using Laravel’s logging system (e.g., `Log::info('User impersonated', ['original_user' => $originalUser, 'impersonated_user' => $targetUser])`). For production, consider integrating with Laravel’s `events` system or a dedicated audit package like `spatie/laravel-activitylog`.

Can I use this package with Laravel Sanctum or Passport for API-based impersonation?

The package is designed for web-based impersonation and relies on Laravel’s session driver. While it may work with Sanctum/Passport for hybrid setups, API-only impersonation (e.g., via tokens) isn’t natively supported. You’d need to extend the middleware or manually handle token-based impersonation logic, which could introduce security risks if not properly scoped.

What happens if a user is already impersonating another user and tries to impersonate again (nested impersonation)?

The package doesn’t explicitly handle nested impersonation, which could lead to session conflicts or data inconsistencies. If you need this feature, you’ll need to customize the middleware or session logic to track impersonation depth and enforce limits (e.g., max 1 level deep). Always test edge cases like this in a controlled environment.

How do I terminate an impersonation session? Does it support auto-expiry?

Impersonation sessions are terminated manually using the package’s `stopImpersonating()` method or by logging out. There’s no built-in auto-expiry, so you’d need to implement this via middleware (e.g., check session duration and revoke impersonation after a set time). For security, consider combining this with Laravel’s `auth()->logoutOtherDevices()` for added protection.

Are there any security risks if I use impersonation links in emails or notifications?

Yes, impersonation links in emails or notifications are vulnerable to CSRF or session fixation attacks if not properly secured. Always use Laravel’s `signed` and `temporary` URL helpers (e.g., `route('impersonate', [], false)->withQueryString()`) and validate the request on the server side. Avoid exposing impersonation endpoints publicly without additional authentication checks.

Does this package support soft-deleted users or model events (e.g., retrieved, saved) during impersonation?

The package doesn’t handle soft-deleted users or model events out of the box. If you’re using Laravel’s soft deletes (`SoftDeletes` trait), impersonating a deleted user may cause errors. Override the impersonation logic to check for soft-deleted users or handle model events manually (e.g., via `retrieved` or `saved` hooks) if needed.

What’s the impact on performance if I use this package with database-backed sessions?

Impersonation relies on session storage, so frequent use with database-backed sessions could increase load, especially if sessions aren’t optimized (e.g., large payloads). Test under expected traffic to measure impact. For high-scale apps, consider caching session data or using Redis to reduce database writes. Monitor session table growth if impersonation is used heavily.

What are the alternatives if this package is abandoned or doesn’t meet my needs?

For a lightweight solution, you can build a custom middleware to handle impersonation using Laravel’s `auth()->loginUsingId()` and session manipulation. For more robust features (e.g., logging, multi-guard support), consider packages like `spatie/laravel-permission` (for role-based access) or `orchid/impersonate` (a more maintained alternative with additional features). Always evaluate alternatives based on your Laravel version and specific requirements.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Impersonate Laravel Package

christhompsontldr/impersonate

Laravel package to let authorized users impersonate other accounts for support and troubleshooting. Provides start/stop impersonation helpers, middleware/guards integration, and easy checks to ensure only permitted roles can switch users safely.

View on GitHub

Deep Wiki

Context7

christhompsontldr/impersonate adds streamlined user impersonation to Laravel apps, making it easy for admins or support staff to temporarily sign in as another user for debugging and assistance. It’s designed to be simple to integrate while keeping impersonation actions explicit and reversible.

Key features:

Start and stop impersonation sessions with clear intent
Helper methods to check whether a user is currently impersonating
Easy integration with common auth workflows (guards/middleware friendly)
Supports returning to the original account after troubleshooting

Frequently asked questions about Impersonate

Does this package work with Laravel 10+? What are the risks of using it with newer Laravel versions?: The package was last updated in 2020 and may not fully support Laravel 10+. Auth contracts and middleware changes in newer Laravel versions could cause compatibility issues. Test thoroughly in a staging environment, especially if using Laravel 9+ or 10, as breaking changes in the auth system may require manual patches.
How do I restrict impersonation to specific roles (e.g., only admins)?: Use Laravel’s built-in gates or policies to check permissions before allowing impersonation. For example, add a `can:impersonate-others` gate in your `AuthServiceProvider` and apply it via middleware: `Route::middleware(['auth', 'can:impersonate-others', 'impersonate'])->group(...);`. This ensures only authorized users can trigger impersonation.
Is there a way to automatically log impersonation actions for audit trails?: The package itself doesn’t include logging, but you can manually log impersonation events using Laravel’s logging system (e.g., `Log::info('User impersonated', ['original_user' => $originalUser, 'impersonated_user' => $targetUser])`). For production, consider integrating with Laravel’s `events` system or a dedicated audit package like `spatie/laravel-activitylog`.
Can I use this package with Laravel Sanctum or Passport for API-based impersonation?: The package is designed for web-based impersonation and relies on Laravel’s session driver. While it may work with Sanctum/Passport for hybrid setups, API-only impersonation (e.g., via tokens) isn’t natively supported. You’d need to extend the middleware or manually handle token-based impersonation logic, which could introduce security risks if not properly scoped.
What happens if a user is already impersonating another user and tries to impersonate again (nested impersonation)?: The package doesn’t explicitly handle nested impersonation, which could lead to session conflicts or data inconsistencies. If you need this feature, you’ll need to customize the middleware or session logic to track impersonation depth and enforce limits (e.g., max 1 level deep). Always test edge cases like this in a controlled environment.
How do I terminate an impersonation session? Does it support auto-expiry?: Impersonation sessions are terminated manually using the package’s `stopImpersonating()` method or by logging out. There’s no built-in auto-expiry, so you’d need to implement this via middleware (e.g., check session duration and revoke impersonation after a set time). For security, consider combining this with Laravel’s `auth()->logoutOtherDevices()` for added protection.
Are there any security risks if I use impersonation links in emails or notifications?: Yes, impersonation links in emails or notifications are vulnerable to CSRF or session fixation attacks if not properly secured. Always use Laravel’s `signed` and `temporary` URL helpers (e.g., `route('impersonate', [], false)->withQueryString()`) and validate the request on the server side. Avoid exposing impersonation endpoints publicly without additional authentication checks.
Does this package support soft-deleted users or model events (e.g., retrieved, saved) during impersonation?: The package doesn’t handle soft-deleted users or model events out of the box. If you’re using Laravel’s soft deletes (`SoftDeletes` trait), impersonating a deleted user may cause errors. Override the impersonation logic to check for soft-deleted users or handle model events manually (e.g., via `retrieved` or `saved` hooks) if needed.
What’s the impact on performance if I use this package with database-backed sessions?: Impersonation relies on session storage, so frequent use with database-backed sessions could increase load, especially if sessions aren’t optimized (e.g., large payloads). Test under expected traffic to measure impact. For high-scale apps, consider caching session data or using Redis to reduce database writes. Monitor session table growth if impersonation is used heavily.
What are the alternatives if this package is abandoned or doesn’t meet my needs?: For a lightweight solution, you can build a custom middleware to handle impersonation using Laravel’s `auth()->loginUsingId()` and session manipulation. For more robust features (e.g., logging, multi-guard support), consider packages like `spatie/laravel-permission` (for role-based access) or `orchid/impersonate` (a more maintained alternative with additional features). Always evaluate alternatives based on your Laravel version and specific requirements.

View on GitHub

Stars

Favorites

Forks

Score

20.3

License

—

Last release

Oct 13, 2020

Watchers

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport