Trouble creating session after login with 2fa enabled
Hi, I'm using Better-Auth with the Prisma adapter in a Next.js (App Router) project, and I’m having trouble with session creation when a user has 2FA enabled.
When logging in with correct credentials using authClient.signIn.email(...) from the client, the server responds with 200, but:
No session is created in the database (checked directly via Prisma)
No Set-Cookie header is sent in the response
The browser doesn’t store any session cookie
authClient.getSession() returns null after login
The user is stuck on the login screen because the session never exists
This only happens when user.twoFactorEnabled === true.
When 2FA is not enabled, everything works as expected: the session is created and persisted, and the user is redirected to /dashboard.
I’ve confirmed that:
The user does have twoFactorEnabled = true in the database
The login call returns { twoFactorRedirect: true } as expected
No session entry is created in the DB for these 2FA-enabled login attempts
I suspect the issue is that authClient.signIn.email() doesn’t actually create and persist the session on its own — especially when 2FA is enabled — but the documentation doesn’t clearly explain this behavior.
Can you confirm:
Is authClient.signIn.email() supposed to create a session automatically when 2FA is enabled?
If not, is the recommended flow to move all session creation (temporary and full) into a custom API route and handle it with auth.createSession() and cookies().set() manually?
Thanks — happy to share code if helpful.
4 Replies
yeah the session doesn't exist until the user verifies their second factor
Got it — thanks.
Just to clarify: if the session doesn’t exist until after 2FA is verified, how should I authenticate the user enough to allow them access to /verify-2fa, assuming that route is protected?
Should I be creating a temporary session manually after verifying credentials so the user can reach /verify-2fa and complete the second factor?
I want to avoid unauthenticated users accessing /verify-2fa, but also need something in place to authorize the user between login and verification. What’s the recommended approach for this?
the plugin tracks with a special intermediate cookie the first verification is completed
this is the cookie name
better-auth.two_factor
on prod it'll have secure prefix -> __Secure-better.auth.two_factorthank you, should i be verifying this in middleware? or on the page itself?
again i appreciate your help, been struggling to get this to work for a couple days now