Magic-Sessionmanager — Installation

TL;DR

Install the package, enable in config/plugins.ts, generate a JWT encryption key (recommended for production), rebuild. The dashboard appears in the sidebar immediately and starts tracking sessions on next login.

Prerequisites

• Strapi v5.0.0 or higher
• Node.js 18.x / 20.x / 22.x
• Any Strapi-supported database
• Optional but recommended: Redis for multi-instance rate-limit accuracy

1. Install

npm install strapi-plugin-magic-sessionmanager

2. Enable

// config/plugins.ts
export default () => ({
  'magic-sessionmanager': {
    enabled: true,
    config: {
      // All optional — safe defaults apply
      lastSeenRateLimit: 30000,        // 30s between last-seen updates
      inactivityTimeout: 15 * 60_000,   // 15 min of inactivity
      terminatedRetentionDays: 30,      // purge terminated sessions after 30 days
      encryptionKey: process.env.SESSION_ENCRYPTION_KEY,
    },
  },
});

3. Generate an encryption key (recommended)

node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"

Add to .env:

SESSION_ENCRYPTION_KEY=your-base64-key

Or generate in admin → Sessions → Settings → Generate Key.

Do not change this key after sessions are stored — existing encrypted tokens would become undecryptable.

4. Rebuild

npm run build && npm run develop

5. Verify

Open Strapi admin → look for Sessions in the sidebar. The dashboard shows an empty table initially. On the next user login (e.g. via magic link or password), a session record appears.

Optional: Redis for multi-instance deployments

If running multiple Strapi instances (load-balanced), configure Redis:

REDIS_URL=redis://redis-host:6379

Magic-Sessionmanager uses Redis for:

• Accurate last-seen tracking across instances
• Rate-limit enforcement
• Session invalidation propagation

Without Redis, the plugin still works but each instance has a local view.

Auto-cleanup

By default:

• Sessions idle for more than inactivityTimeout are marked inactive.
• Terminated sessions older than terminatedRetentionDays are deleted nightly.

Tune in config/plugins.ts or admin UI.

Integration with Magic-Link

When installed together, Magic-Link auth sessions are automatically tracked. No config needed.

export default () => ({
  'magic-link': { enabled: true },
  'magic-sessionmanager': { enabled: true },
});

---

Next: Security Features →