ChowderCrab
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
I see an Issue was opened yesterday for someone running into the same problem with Express: https://github.com/better-auth/better-auth/issues/1862
34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
I looked too and couldn't find any PRs (open or closed) that sounded like this. Do you know generally how it was supposed to work? Like is/was the plugin a special way to "getSession" for Next.js on the server that also handles cookies? Or is it something more specific to cookies only?
This whole thing isn't super urgent for me right this second, but it'd definitely be nice if there was an "official" way to do this (either out of the box or plugin).
34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
oh nice, yeah that might be the best way to handle this, especially if it's similar to what's done/planned for Next
34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
I think when BA upgraded to v1.2 and Better Call v1, the way headers were merged was changed and might be different from other things in the context.
for example, I see this change: https://github.com/better-auth/better-auth/commit/46dfc078c03a409bbf3284640588ee0ca8989330#diff-fe25b5f529f2941cd1299abab03e2be7adb5d9e882cee20dff2aca64c747b1fc
Which has a comment:
So without digging into the before/after in more detail it might have been coded so that headers are merged in a different way (and therefore still work with BA 1.2), but other things like a passed in
setCookie function are overwritten by the hook.
But again, I'm not sure if overriding the function in context is the way it should work or if it would be better to have a separate server-side function for getSession that returns information about cookie-related updates (deletions/sets/etc) which can then be implemented as-needed by the server-side framework in question.34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
They use h3 under the hood, so you import
setCookie from @tanstack/react-start/server , which I think is the same as this: https://h3.unjs.io/utils/advanced#setcookieevent-name-value-serializeoptions
Prior to 1.2 I could pass that setCookie in the context to getSession and my cookies would get set, but with BA 1.2 the setCookie function I include is ignored. Although as mentioned I think it was only working by chance in the first place. And even if it works that wouldn't help with other cookie-related actions (deleteSessionCookie) that getSession tries to handle.34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
TanStack Start.
34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
@bekacru Just an FYI in case you're interested. We're trying to use
getSession on the server and also be able to update cookies (e.g., refresh the cookie cache). But the default (just passing headers as shown in docs) doesn't work, and the workaround we had working before 1.2 doesn't work after 1.2 (passing setCookie to the getSession call).
I think it'd be nice to have a server-only way to get session and find out what cookie changes need to be made.... maybe return cookies that need to be set/deleted so that it was framework agnostic and the user could handle those however they needed (or wrap in an adapter).34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
okay, so starting with 1.2.0 Better Auth will no longer use the
setCookie that is passed in via the context.
so doing this to pass a custom setCookie:
does nothing because when the Better Auth code calls ctx.setCookie to update the cookie cache it's using the original setCookie (that doesn't work), not the new one we're passing in. I confirmed this by modifying the code in node_modules to log the function before it's called and can see that it's not what we need.
So something changed in 1.2 that doesn't merge in our custom setCookie (from TanStack Start) that was working before.34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
I might need to look at reimplementing setCookieCache on my own if I can't figure it out.
I think it would be nice to have a standalone server-side "get session" function... maybe with a return value that includes headers to set/delete so that the developer can use whatever is correct for their own framework to make the cookie changes.
I think it would be nice to have a standalone server-side "get session" function... maybe with a return value that includes headers to set/delete so that the developer can use whatever is correct for their own framework to make the cookie changes.
34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
After a quick look, I'm not seeing anything in getSession or setSessionCookie after 1.1.21 that would have changed how this works.
34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
Good catch. I just confirmed this on my end. If I downgrade to 1.1.21 then the cookie gets reset no problem from my auth middleware using setCookie, but if I go back to 1.2.4 it doesn't work. Since that's all I changed it confirms something changed with BA and that it isn't a TS Start change causing this. I'll take a quick look to see what might have broken this.
34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
I was actually able to vastly simplify my solution when I determined that I can pass my "setCookie" function (from TanStack Start) into the getSession call server-side. The Better Auth code will now use that to update cookies for me.
So now all I do is:
For Next.js setting cookies is a handled differently so I'm not sure if you'll find a way to do this easily. Even if you wrapped the Next.js cookie setting code in a setCookie function that matches the expected signature, I think there may be a problem since cookies are (I think recently) async in Next.js.
34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
Hey, I'm not quite ready to share yet since there are some security implications I'm trying to sort out. I'll come back if I work through those!
34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
UPDATE: Improved further. I looked at the Better Auth code and implemented
setCookieCache on my server. That removes the extra cookie I was making and the 10 second check on the client. Now, any time I find the cookie cache missing on the server I recreate it and set the cookie in the response. That means the only time I ever hit the database for the session is the first request after the cookie cache expires, which is exactly how I'd like it work.34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
I could save some of the extra work if I can get a new value for the cookie cache directly from BetterAuth and set it in the server function. That way rather than setting a "cache-expired" cookie and manually refetching from the client, I'd just refresh the cookie cache on the server as we do with the primary session token. Maybe there's already a way to do this?
34 replies
BABetter Auth
•Created by ChowderCrab on 2/18/2025 in #help
Cookie cache does not refresh with server-side getSession call
EDIT: this isn't the latest. See below.
I came up with something that works okay, although I'm still interested in what others might think or if there's a simpler solution.
What I did:
1. In my server function that checks auth I'm already checking headers on essentially every request. I added a check to see if the cookie cache is present ("better-auth.session_data"). If it's not (i.e., it's expired), then I set a cookie (not HTTP Only) called "cache-expired=true".
2. In my logged-in layout, I have one query set up with React Query to call authClient.getSession. This is set to a longer time like 15 minutes, and will redirect to log-in if the session is ever null (expired). Before returning it sets the cookie "cache-expired=false" to reset things.
3. I have a separate React Query that runs every 10 seconds and all it does is check document.cookie to see if "cache-expired=true". If found, it'll invalidate the "session" query, causing it to refetch immediately and set the cookie cache.
This setup will not refetch the session as soon as the cookie cache has expired. However, as soon as the user does pretty much anything in the app we'll set the "cache-expired" cookie and then the client will refresh the cookie cache within 10 seconds.
This seems like a decent setup that minimizes unnecessary get-session calls from the client. If the user isn't actively using the app then the session will only be fetched client-side once every 15 minutes (I might even make this longer), which lets me send them to sign-in if the session expires. However, if they are actively using the app and the cookie cache expires, we'll get it reset within 10 seconds of the user's last action.
34 replies