When an admin impersonated another admin, it was possible to
impersonate multiple levels deep. The side-effect is when
stopping impersonation at a deeper level the actual user
would then assume the session of the last impersonating user
rather than their own session.

Changelog: security