Louie™
BABetter Auth
•Created by Louie™ on 4/20/2025 in #help
clearing 2FA cookie on logout
Hi guys, I’m using Better-Auth with TOTP-based 2FA and had a question about the better-auth.two_factor cookie behavior.
I’ve noticed that after a user successfully verifies their TOTP code, the better-auth.two_factor cookie remains present in the browser — even after a full session is created. Similarly, it doesn’t appear to be cleared when the user logs out.
This leads to a UX issue where, after logout, my middleware sees the cookie still present (but no session), and incorrectly redirects users back to /verify-2fa instead of letting them hit /.
I’ve tried clearing the cookie manually on the client using document.cookie (clearing both better-auth.two_factor and __Secure-better.auth.two_factor), but it seems the cookie remains — possibly due to flags set on your end like Secure, SameSite, or path/domain.
My question is:
Is there a recommended way to programmatically clear the 2FA cookie after successful verification or logout?
Or is it intentionally designed to expire naturally (e.g. after 10–15 minutes) without early deletion support?
I just want to make sure I’m not missing an intended way to handle this, and that I’m not fighting against the system if it’s something Better-Auth handles on its own.
Thanks so much — appreciate any insight you can provide!
2 replies
BABetter Auth
•Created by Louie™ on 4/19/2025 in #help
Handling better-auth.two_factor cookie after TOTP verification and logout
Hi there, I’m using Better-Auth with TOTP-based 2FA and had a question about the better-auth.two_factor cookie behavior.
I’ve noticed that after a user successfully verifies their TOTP code, the better-auth.two_factor cookie remains present in the browser — even after a full session is created. Similarly, it doesn’t appear to be cleared when the user logs out.
This leads to a UX issue where, after logout, my middleware sees the cookie still present (but no session), and incorrectly redirects users back to /verify-2fa instead of letting them hit /.
I’ve tried clearing the cookie manually on the client using document.cookie (clearing both better-auth.two_factor and __Secure-better.auth.two_factor), but it seems the cookie remains — possibly due to flags set on your end like Secure, SameSite, or path/domain.
My question is:
Is there a recommended way to programmatically clear the 2FA cookie after successful verification or logout?
Or is it intentionally designed to expire naturally (e.g. after 10–15 minutes) without early deletion support?
I just want to make sure I’m not missing an intended way to handle this, and that I’m not fighting against the system if it’s something Better-Auth handles on its own.
Thanks so much — appreciate any insight you can provide!
1 replies
BABetter Auth
•Created by Louie™ on 4/12/2025 in #help
Trouble creating session after login with 2fa enabled
Hi, I'm using Better-Auth with the Prisma adapter in a Next.js (App Router) project, and I’m having trouble with session creation when a user has 2FA enabled.
When logging in with correct credentials using authClient.signIn.email(...) from the client, the server responds with 200, but:
No session is created in the database (checked directly via Prisma)
No Set-Cookie header is sent in the response
The browser doesn’t store any session cookie
authClient.getSession() returns null after login
The user is stuck on the login screen because the session never exists
This only happens when user.twoFactorEnabled === true.
When 2FA is not enabled, everything works as expected: the session is created and persisted, and the user is redirected to /dashboard.
I’ve confirmed that:
The user does have twoFactorEnabled = true in the database
The login call returns { twoFactorRedirect: true } as expected
No session entry is created in the DB for these 2FA-enabled login attempts
I suspect the issue is that authClient.signIn.email() doesn’t actually create and persist the session on its own — especially when 2FA is enabled — but the documentation doesn’t clearly explain this behavior.
Can you confirm:
Is authClient.signIn.email() supposed to create a session automatically when 2FA is enabled?
If not, is the recommended flow to move all session creation (temporary and full) into a custom API route and handle it with auth.createSession() and cookies().set() manually?
Thanks — happy to share code if helpful.
9 replies
BABetter Auth
•Created by Louie™ on 4/12/2025 in #help
Trouble Creating Session After Login with 2FA Enabled – No Session Created or Persisted
Hi, I'm using Better-Auth with the Prisma adapter in a Next.js (App Router) project, and I’m having trouble with session creation when a user has 2FA enabled.
When logging in with correct credentials using authClient.signIn.email(...) from the client, the server responds with 200, but:
No session is created in the database (checked directly via Prisma)
No Set-Cookie header is sent in the response
The browser doesn’t store any session cookie
authClient.getSession() returns null after login
The user is stuck on the login screen because the session never exists
This only happens when user.twoFactorEnabled === true.
When 2FA is not enabled, everything works as expected: the session is created and persisted, and the user is redirected to /dashboard.
I’ve confirmed that:
The user does have twoFactorEnabled = true in the database
The login call returns { twoFactorRedirect: true } as expected
No session entry is created in the DB for these 2FA-enabled login attempts
I suspect the issue is that authClient.signIn.email() doesn’t actually create and persist the session on its own — especially when 2FA is enabled — but the documentation doesn’t clearly explain this behavior.
Can you confirm:
Is authClient.signIn.email() supposed to create a session automatically when 2FA is enabled?
If not, is the recommended flow to move all session creation (temporary and full) into a custom API route and handle it with auth.createSession() and cookies().set() manually?
Thanks — happy to share code if helpful.
1 replies
BABetter Auth
•Created by Louie™ on 2/13/2025 in #help
Google OAuth help
hey guys, just wondering whats the best way to handle allowing users to sign in with both email/password and google oauth
I noticed the same email can't be used for both oauth & email/password auth unless its configured to do so, since when I test creating an account with the google oauth it seems it doesnt set a password field.
not sure if this has been answered before or not, but would be a huge help. just curious how you guys set this up
1 replies
BABetter Auth
•Created by Louie™ on 2/4/2025 in #help
Prisma + Supabase
hey guys, im a new dev and just wondering if anyone could help me figure out an issue with trying to use prisma + supabase with better-auth.
im having trouble trying to sign in, and sign up when testing my app on localhost. when trying to login with google oauth, im getting the following error:
2025-02-04T18:00:59.819Z ERROR [Better Auth]: PrismaClientInitializationError PrismaClientInitializationError:
Invalid
Please make sure your database server is running at
Invalid
prisma.verification.create() invocation:
Can't reach database server at aws-0-us-east-1.pooler.supabase.com:6543Please make sure your database server is running at
aws-0-us-east-1.pooler.supabase.com:6543.
Been struggling to figure out auth in general, any help would be appreciated. If theres any other info you need to help me figure out this issue, ill be around to provide any additional info needed. thank you guys!1 replies