Trouble Creating Session After Login with 2FA Enabled – No Session Created or Persisted
Hi, I'm using Better-Auth with the Prisma adapter in a Next.js (App Router) project, and I’m having trouble with session creation when a user has 2FA enabled.
When logging in with correct credentials using authClient.signIn.email(...) from the client, the server responds with 200, but:
No session is created in the database (checked directly via Prisma)
No Set-Cookie header is sent in the response
The browser doesn’t store any session cookie
authClient.getSession() returns null after login
The user is stuck on the login screen because the session never exists
This only happens when user.twoFactorEnabled === true.
When 2FA is not enabled, everything works as expected: the session is created and persisted, and the user is redirected to /dashboard.
I’ve confirmed that:
The user does have twoFactorEnabled = true in the database
The login call returns { twoFactorRedirect: true } as expected
No session entry is created in the DB for these 2FA-enabled login attempts
I suspect the issue is that authClient.signIn.email() doesn’t actually create and persist the session on its own — especially when 2FA is enabled — but the documentation doesn’t clearly explain this behavior.
Can you confirm:
Is authClient.signIn.email() supposed to create a session automatically when 2FA is enabled?
If not, is the recommended flow to move all session creation (temporary and full) into a custom API route and handle it with auth.createSession() and cookies().set() manually?
Thanks — happy to share code if helpful.
0 Replies