Admin "sudo" framework

[jace]

We occasionally receive support requests stating something is not working for a user, or sometimes we have to setup an account on behalf of a user (such as a guest speaker at an event or a customer receiving a walkthrough from a sales person).

At this time there is no mechanism for an admin to access another user's account. This is required. Process:

1. Admin opens an incognito window and logs in to Lastuser (since client apps aren't necessarily aware of sudo mode and will still show the admin user's account).
2. Admin then activates sudo mode, which copies the userid and sessionid from their session cookie into sudo_userid and sudo_sessionid (thereby indicating this is a sudo session).
3. Admin picks from a menu: register as a user, or login as an existing user (using admin's password instead of user's password).
4. The user's credentials are processed as with a regular login (using login_internal), but the Session record is now flagged with the parent session to indicate sudo access.
5. The user is sent an email notification (verified address only) about an admin accessing their account, including the admin's identity (fullname and username, not necessarily contact information).
6. When the admin logs out of the user's account (using logout_internal), the user is sent another email notification and the admin's credentials are restored from the sudo_* session keys.
7. If a sudo session is idle for half an hour (background sweep), it is logged out automatically, with the email notice stating that it was closed for inactivity.

Admins are identified using the same configuration setting that is used for dashboard access.

As this is a sensitive feature, email notifications alone aren't sufficient. We need an audit log for each user account logging this and other critical actions (profile, org, team updates).

[jace]

How does this work in the case of client apps? App sessions aren't as easy to replicate as browser sessions.