Magic-Sessionmanager

strapi-plugin-magic-sessionmanagerlatestLicenseMITStrapiv5GitHub

What you get

Magic-Sessionmanager gives you a live dashboard of who is logged into your Strapi app and complete control over their sessions. Force logout across all devices (including refresh tokens!), see IP geolocation with country flags (Premium), detect VPN/proxy/TOR connections (Advanced), enforce geo-fencing, and get email or Discord alerts for suspicious logins. JWT tokens are encrypted at rest.

At a glance

Live Dashboard

See who is logged in right now, from which device and where.

Force Logout

Terminate any session instantly. Refresh tokens are also blocked, no re-entry.

IP Geolocation (Premium)

Country with flag, city, ISP, ASN, and coordinates for every session.

VPN Detection (Advanced)

Flag VPN, proxy, TOR exit nodes, and datacenter IPs. Block automatically or alert.

Geo-Fencing (Advanced)

Allow/block logins by country code (ISO 3166-1 alpha-2). Per-role rules supported.

Security Alerts (Advanced)

Email or webhook notifications for suspicious events (new country, VPN, threat score).

Quick install

npm install strapi-plugin-magic-sessionmanager

// config/plugins.ts
export default () => ({
  'magic-sessionmanager': {
    enabled: true,
    config: {
      lastSeenRateLimit: 30000,    // ms between last-seen updates
      inactivityTimeout: 900000,   // 15 min of inactivity marks session idle
    },
  },
});

npm run build && npm run develop

Open Admin → Sessions. You'll see the live dashboard immediately.

Full installation guide

How it works

Magic-Sessionmanager hooks into Strapi's auth lifecycle:

1. On login — creates a session record with user ID, IP, device, browser, geo (Premium), and threat score (Advanced).
2. On each request — updates lastSeen (throttled to once every 30s by default).
3. On logout / force-logout — marks session as terminated and blocks the JWT and refresh token.
4. On suspicious events — triggers alerts via email or webhook (Advanced).
5. Auto-cleanup — sessions idle for more than inactivityTimeout are marked inactive; old terminated sessions are purged nightly.

Refresh token blocking

Traditional force-logout doesn't work if the user has a refresh token:

Admin clicks "Force logout" → User's JWT is invalidated
  → But user's app uses refresh token → gets new JWT → back in!

Magic-Sessionmanager fixes this by maintaining a blocked-tokens list:

Admin clicks "Force logout" → JWT AND refresh token invalidated
  → Refresh token attempt is blocked → User must login again ✓

Admin UI

The plugin ships with four views:

1. Sessions Dashboard — table of all sessions, filter by user, IP, country, status.
2. Session Detail — full context on one session (device, timeline, threat score).
3. Homepage Widget — at-a-glance stats on the Strapi home page (online users, last 15/30 min).
4. Content Manager Sidebar — show a user's active sessions inline when viewing their record.

Security features by tier

Feature	Free	Premium	Advanced
Session tracking	✓	✓	✓
Force logout	✓	✓	✓
Refresh token blocking	✓	✓	✓
Dashboard widget	✓	✓	✓
Device / browser detection	✓	✓	✓
JWT encryption at rest	✓	✓	✓
IP geolocation + country flag	—	✓	✓
City / ISP / ASN	—	✓	✓
Coordinates (map-ready)	—	✓	✓
Security risk score (0–100)	—	✓	✓
VPN / proxy / TOR detection	—	—	✓
Datacenter IP detection	—	—	✓
Auto-blocking rules	—	—	✓
Geo-fencing (country lists)	—	—	✓
Email alerts	—	—	✓
Webhook alerts (Slack, Discord, custom)	—	—	✓
Price	$0	$14.50/mo	$39.50/mo

View all pricing details →

Next steps

• Installation →
• Security Features →
• Geolocation →
• API Reference →
• Examples →
• FAQ →

Related plugins

• Magic-Link — Passwordless auth. Sessions created by Magic-Link can be monitored and terminated here.
• Magic-Mail — Sends the security alert emails.

---

Made by Joulee Tech GmbH. Free tier · 30-day money-back guarantee on paid tiers.