Let's say Admin A and Admin B are both masquerading as User C from their own machines.

A does it first (and

Then A logs out on his machine and suddenly he's logged in as B (which potentially via Pundit or something has different authorisations that he shouldn't have)

I think using the Rails cache isn't the best idea for this, but maybe storing something in the Rails session?

Hi @andyjeffries

it's a bit tricky to fix to be honest for now. Let's discuss probably, let's say I removed the session to skip any exposes of encoded data. Rails.cache is safe enough way to keep the data about the requested masquerading user.

I had this ticket #83 , going to review the code for now and think how to fix it.

OK, as an implementation idea, so how about you create a random token (SecureRandom.hex(20), a UUID or something) and you use that as a key in the Rails cache with the value being the original user's ID (or whatever). Then you set that token in the session. This isn't easily guessable. Then when leaving the masquerade, you lookup the token in the session, find that in the cache to get the user to return to, delete it from the session and continue as normal with your unmasquerade process.

Then you're not storing anything sensitive in the session, you aren't storing an easily guessable value and if an attacker gets hold of the whole session, they could unmasquerade anyway?

Completely up to you, just throwing a suggestion out there :-)

@andyjeffries looking good. it doesn’t break anything. thank you. I will try to apply it today.

Hi @andyjeffries Please review PR if you have time: #95

I've just noticed I'm using 1.3.11 and it's still happening for me.