PhoenixKit V23 Migration: Session Fingerprinting
This migration adds session fingerprinting capabilities to prevent session hijacking attacks. It adds IP address and user agent tracking to session tokens, allowing the system to detect when a session token is used from a different location or device.
Changes
Session Security Enhancements
- Adds ip_address field to phoenix_kit_users_tokens table for IP-based verification
- Adds user_agent_hash field to phoenix_kit_users_tokens table for device verification
- Session tokens can now be verified against the original connection fingerprint
- Prevents session hijacking by detecting suspicious session usage patterns
Security Features
- IP address tracking: Detects when session is used from different IP
- User agent hashing: Detects when session is used from different browser/device
- Backward compatible: Existing sessions without fingerprints remain valid
- Configurable strictness: Can log warnings or force re-authentication
PostgreSQL Support
- Supports PostgreSQL prefix for schema isolation
- Optimized indexes for fingerprint lookups
Summary
Functions
Rollback the V23 session fingerprinting migration.
Run the V23 session fingerprinting migration.