“Log in as User” in a new private browsing window no longer works

Currently using version 2.8.9. I’m not sure which version this happened in because this isn’t a feature I use often, but we have a members-only website which is used as a member portal for an offline organization and is used as the official source of truth for a lot of the membership data. Some of our members are not particularly tech-savvy, and periodically in order to have smooth operations we need to log into the website as one of the users to do something on their behalf because they can’t figure out how to log in and do it themselves, and the website isn’t the point of the organization, just a tool to support it.

My normal way of using this feature was to view the member’s profile, then click on the gear, then right click on the “Log in as user” option and pick “Open in new private window” or “Open in new incognito window” (depending on which browser is being used) because doing it that way allowed me to remain logged in with the administrator account in the original window without having to log out and back in again when I’m done doing the task for the user. It would prompt me to log in with the administrator account, then immediately switch to the user in question after logging in, and it worked nicely.

In the current version of Ultimate Member the above workflow now results in a “The link you followed has expired.” error after logging in.

I have confirmed that following the link in the same window instead of opening a private browsing window does still work (except that I obviously get logged out of the administrator account doing it that way).

I’m guessing this is probably an attempt to stop a cross-site request forgery avenue, in which case, the old workflow probably can’t be restored without also restoring the security problem that was being solved with this change. Oh well.

A good workaround for this is to do the “open in private browsing window” one step earlier in the process… when you look up the user, instead of going to their profile page first, right click on the profile link, and open THAT in the private browsing window. Since it’s a members-only site, I get prompted to log in (as the admin) then it shows me the user’s profile after logging in. Then I can click the gear, and click “Log in as this user” leaving it in the same window.

Hope this is useful to anyone else that was using it that way.