Thanks for the write up dear. Can you please confirm in order to impersonate admin session attacker needs to wait for an actual admin to impersonate the session and then hijack the session ? Or attacker has an ability to perform admin impersonation on temporary basis?