[eluser]WanWizard[/eluser]
Hmmm, not really secure, an application with 'backdoors'...
Normally, the session would only store the minumum of information, for example the user_id. When the controller is loaded, you check if the session contains this id, and if so, you restore the users session. In that system all you have to do to impersonate someone is to load their user record. And probably add an impersonate_user_id to the session to indicate you want to load the user info instead of your own user info.
Getting access to the session record to retrieve data your boss has stored in his (or her) session will be a challenge, as you have no way of knowing the session_id, and therefore which session record to retrieve.