triquad
BABetter Auth
•Created by triquad on 3/29/2025 in #bug-reports
getSession intermittently fails cookie signature verification, deletes cookies
We've been seeing erratic unexpected log-outs in our app, and have traced it down to the session cookie being deleted because it has the wrong signature here:
https://github.com/better-auth/better-auth/blob/v1.2.5/packages/better-auth/src/api/routes/session.ts#L118
I have confirmed it is a signature mismatch by patching debug logs into
getSession() — they show sessionDataPayload.signature doesn't match a signature created with createHMAC(...).sign() using the same contents.
We're using the phoneNumber plugin, and are encountering the issue most reliably (about 2% of runs) immediately after authClient.phoneNumber.verify() succeeds, but we're also occasionally seeing the issue at other times unrelated to the login flow.
Perhaps of note, sessionDataPayload.expiresAt is almost exactly cookieCache.maxAge in the future (which makes sense immediately after a successful phoneNumber verification). Is it possible that, as a client's request is heading out, a response from a previous request (e.g phoneNumber.verify) is updating the cookie's expiry but doesn't have time for the signed contents, or... something like that? What else could be causing this? And how can I guard against it? I'm at a bit of a loss trying to figure out what to try doing next, so any suggestions would be very appreciated 😅🙏!5 replies