Magic-Sessionmanager — FAQ

TL;DR

Common questions about Magic-Sessionmanager. For anything not covered, contact support@magicdx.dev or open a GitHub issue.

Basics

How does Magic-Sessionmanager differ from Strapi's built-in sessions?

Strapi natively only stores JWT tokens. Magic-Sessionmanager adds:

• Persistent session records with full device/IP/location context
• Live activity tracking (last-seen updates every 30s)
• Force logout that actually works — blocks refresh tokens too
• Security analytics — risk scoring, VPN detection, geo-fencing
• Admin dashboard — live table of all active sessions

Does force logout really work?

Yes. Unlike basic session invalidation (which only kills the JWT and lets the user silently re-authenticate with their refresh token), Magic-Sessionmanager also blocks the refresh token. Refresh attempts return an error; the user must log in again.

Features & tiers

Can I see where users are logging in from?

Yes, on Premium and Advanced tiers. Geolocation data includes:

• Country (with flag emoji)
• City
• ISP / ASN
• Coordinates (lat/lng, for mapping)

Free tier shows only the IP address.

Can Magic-Sessionmanager detect VPNs?

Yes, on the Advanced tier:

• VPN servers
• Proxy servers
• TOR exit nodes
• Datacenter IPs

Configure auto-blocking or alert only.

What is geo-fencing?

Country allow/block lists. Advanced tier lets you configure:

// Example: allow only these countries
allowedCountries: ['DE', 'AT', 'CH', 'US', 'GB']

// Or: block specific countries
blockedCountries: ['CN', 'RU', 'KP']

Uses ISO 3166-1 alpha-2 codes.

What triggers a security alert?

Configurable triggers (Advanced):

• Login from a new country
• VPN / proxy / TOR detected
• Threat score below threshold
• Blocked login attempt
• Any custom JavaScript condition

Alerts go via email (needs Magic-Mail or any Strapi email provider) or webhook (Slack, Discord, generic HTTPS endpoint).

Security

How are JWT tokens encrypted?

Tokens stored in the sessions table are encrypted with AES-256-GCM. Generate a custom SESSION_ENCRYPTION_KEY in .env for production:

node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"

Even a database breach does not leak active tokens.

Does the plugin meet compliance requirements?

Because everything runs inside your Strapi instance:

• GDPR: You remain the data controller.
• SOC 2 / ISO 27001: Inherits your infrastructure's posture. Audit logs available.
• HIPAA: Can be configured to meet HIPAA requirements in a BAA-covered environment.

Integration

Does Magic-Sessionmanager work with Magic-Link?

Yes — designed to work together. Sessions created by Magic-Link are automatically tracked. Force logout immediately invalidates both the JWT and the refresh token.

Does it slow down my app?

No. Last-seen updates are throttled (default every 30 seconds) and all writes are async. Performance cost is imperceptible for typical Strapi workloads.

Does it work across multiple Strapi instances?

Yes. Sessions are stored in your shared database. For last-seen accuracy across instances, configure Redis via REDIS_URL.

Data

How long are sessions kept?

• Active sessions remain until logout or force logout.
• Inactive sessions (no activity for inactivityTimeout — default 15 minutes) are marked as inactive.
• Terminated sessions are purged nightly (configurable retention, default 30 days).

Can I export session data?

Yes via Strapi admin export or the REST API (admin token required). Useful for compliance and audit reports.

Pricing

What happens on license expiry?

Free-tier features (session tracking, force logout, dashboard, JWT encryption) continue. Premium/Advanced features become locked. No data is deleted. Reactivate anytime to regain access.

---

Still have questions? support@magicdx.dev