Magento – Can / Should I Use The Admin Session in Frontend

adminhtmlfrontendSecuritysession

For some use cases it would be nice to know, when on frontend, if an admin is logged in and to fetch the user's ACLs.

I know that this is not "easily" possible, i.e. the frontend and admin sessions are separated on the abstraction level.

I think it should be possible to dig some levels deeper and still access the session.

Additionally I saw work around that pass some tokens from the backend to the frontend – but basically I am not talking about such.

Are there any obvious problems to expect? Or might that just be impossible for any structural reason?
I saw shops that log you out from the backend when you browse the store front – what could be the reason for such security measures? (obviously in this case my whole approach would not work).

Best Answer

Let's assume you can get access to the admin session in the frontend, I don't think there will be any issues. Just make sure that you wrap the code (actions or display) around something like this:

if (getTheAdminSession()->getUser()){//getTheAdminSession() is just a placeholder for the admin session getter
   //code or output here
}

If you have this and the admin is not logged in then there should not be any issues (in theory). Those pieces of code will be skipped.
Now the hard part. I'm not sure how it's possible to gain access to the admin session from the back-end since Magento creates 2 different cookies for them. Maybe read the cookie with the name 'adminhtml' and try to initiate the session with that value. But this will become impossible if the admin is on a separate domain. (I know it usually isn't but it may be).
If you do a simple:

Mage::getSingleton('admin/session')

on the frontend, the object created from this code will be appended to the session file of the frontend(I only tested with session in files). The admin session file will not be touched. Your session file will looke something like this:

core|a:5:{..}admin|a:2:{...}

Related Solutions

Magento 1.7 Session Management – Using Mage::getSingleton

In a default out of the box Magento installation you have two options for the session.

adminhtml - set in Mage_Adminhtml_Controller_Action
frontend - set in Mage_Core_Controller_Front_Action

When the Mage_Core_Controller_Varien_Action runs it's preDispatch function it will start the session for the appropriate section.

$session = Mage::getSingleton('core/session', array('name' => $this->_sessionNamespace))->start();

The construct of the session will take in the name of the section you are in, frontend or adminhtml, and will limit the data that you can access.

public function __construct($data=array())
{
    $name = isset($data['name']) ? $data['name'] : null;
    $this->init('core', $name);
}

Magento – Magento 2 get Admin session in frontend

protected $_session;

public function __construct(
    \Magento\Framework\Model\Context $context,
    \Magento\Backend\Model\Auth\Session $authSession
) {
    $this->_session = $authSession;

    parent::__construct($context);
}

and then call

$this->_session->isLoggedIn()

Note: don't use objectManager. Its not proper way to do it in Magento 2

Best Answer

Related Solutions

Magento 1.7 Session Management – Using Mage::getSingleton

Magento – Magento 2 get Admin session in frontend

Related Topic