fix(auth): update cookie handling in anonymous and multi-session plugins

packages/better-auth/src/plugins/anonymous/index.ts

@@ -162,17 +162,19 @@ export const anonymous = (options?: AnonymousOptions) => {
 							context.context.authCookies.sessionToken.name,
 						);
 						return (
-							!!hasSessionToken &&
-							(context.path.startsWith("/sign-in") ||
-								context.path.startsWith("/sign-up") ||
-								context.path.startsWith("/callback") ||
-								context.path.startsWith("/oauth2/callback") ||
-								context.path.startsWith("/magic-link/verify") ||
-								context.path.startsWith("/email-otp/verify-email"))
+							context.path.startsWith("/sign-in") ||
+							context.path.startsWith("/sign-up") ||
+							context.path.startsWith("/callback") ||
+							context.path.startsWith("/oauth2/callback") ||
+							context.path.startsWith("/magic-link/verify") ||
+							context.path.startsWith("/email-otp/verify-email")
 						);
 					},
 					handler: createAuthMiddleware(async (ctx) => {
-						const headers = ctx.responseHeader;
+						const headers =
+							ctx.context.returned instanceof APIError
+								? ctx.context.returned.headers
+								: ctx.responseHeader;
 						const setCookie = headers.get("set-cookie");
 						/**
 						 * We can consider the user is about to sign in or sign up

packages/better-auth/src/plugins/multi-session/index.ts

@@ -232,7 +232,11 @@ export const multiSession = (options?: MultiSessionConfig) => {
 				{
 					matcher: () => true,
 					handler: createAuthMiddleware(async (ctx) => {
-						const cookieString = ctx.responseHeader.get("set-cookie");
+						const headers =
+							ctx.context.returned instanceof APIError
+								? ctx.context.returned.headers
+								: ctx.responseHeader;
+						const cookieString = headers.get("set-cookie");
 						if (!cookieString) return;
 						const setCookies = parseSetCookieHeader(cookieString);
 						const sessionCookieConfig = ctx.context.authCookies.sessionToken;