getSession intermittently fails cookie signature verification, deletes cookies
We've been seeing erratic unexpected log-outs in our app, and have traced it down to the session cookie being deleted because it has the wrong signature here:
https://github.com/better-auth/better-auth/blob/v1.2.5/packages/better-auth/src/api/routes/session.ts#L118
I have confirmed it is a signature mismatch by patching debug logs into
getSession() — they show sessionDataPayload.signature doesn't match a signature created with createHMAC(...).sign() using the same contents.
We're using the phoneNumber plugin, and are encountering the issue most reliably (about 2% of runs) immediately after authClient.phoneNumber.verify() succeeds, but we're also occasionally seeing the issue at other times unrelated to the login flow.
Perhaps of note, sessionDataPayload.expiresAt is almost exactly cookieCache.maxAge in the future (which makes sense immediately after a successful phoneNumber verification). Is it possible that, as a client's request is heading out, a response from a previous request (e.g phoneNumber.verify) is updating the cookie's expiry but doesn't have time for the signed contents, or... something like that? What else could be causing this? And how can I guard against it? I'm at a bit of a loss trying to figure out what to try doing next, so any suggestions would be very appreciated 😅🙏!GitHub
better-auth/packages/better-auth/src/api/routes/session.ts at v1.2....
The most comprehensive authentication framework for TypeScript - better-auth/better-auth
3 Replies
Yikes! This is a super nasty bug that's been messing us up for weeks. Would be great if anyone has some insight!
hmm. If there is a POC, I'd love to take a look. But I'll investigate more. In the mean time I just pushed a patch
1.2.6-beta.3 when there is a singature mismatch it now fallbacks to checking the session from the db
Let me know if this fixes the problemThanks @bekacru, I don't have a POC to share unfortunately. But in initial tests your patch does seem to be effective at avoiding the unexpected logouts, thanks for the quick response!