Since version 14.172.297, Team Password Manager includes a session fingerprinting mechanism that improves session security.
What is session fingerprinting?
Session fingerprinting helps prevent session hijacking by ensuring that each session is tied to key characteristics of the user's environment, in this case, the IP address and browser used when the session was created.
When this feature is enabled, Team Password Manager verifies that these characteristics remain consistent throughout the session. If a mismatch is detected (e.g., the session is accessed from a different IP or browser), the session is invalidated, the user is logged out and the Invalid session fingerprint event is recorded in the log.Configuration
Session fingerprinting is enabled by default. You can control this behavior using the CHECK_SESSION_FINGERPRINT parameter in config.php.
To disable session fingerprinting, define this parameter like this in config.php:
define('CHECK_SESSION_FINGERPRINT', false);
Use cases for disabling
You might consider disabling this feature in the following cases:
- Users frequently change IP addresses (e.g., mobile users switching networks).
- A reverse proxy or load balancer changes the perceived client IP.
- Compatibility issues with certain browsers or network setups.
Note: Disabling fingerprinting reduces session security. Only disable it if necessary.
Related settings
This setting is independent from other session-related settings such as session timeout or remember me, but they all work together to protect user sessions.
Document changelog
| May 30, 2025: | Document created |
