github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-24 16:11:53 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #5875] Stale client session data after server action login in Next #10368

New Issue
Closed
opened 2026-04-13 06:28:04 -05:00 by GiteaMirror · 6 comments
GiteaMirror commented 2026-04-13 06:28:04 -05:00
Owner
Copy Link

Originally created by @Romflz on GitHub (Nov 9, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/5875

Originally assigned to: @Paola3stefania on GitHub.

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

To recreate:

  1. Initialize new Next16 project
  2. Configure better auth with nextjs as per better auth docs. Create better auth client with createAuthClient()
  3. Log user client session in the console
  4. Initialize login of user A via a server action
  5. Log user A out via a server action
  6. Log user B in via a server action
  7. Client session will log user A session

Current vs. Expected behavior

Expected behavior:
Client user session refresh after new user logins in

Current behavior:
Client session still has previous session

What version of Better Auth are you using?

1.3.34

System info

{
  "system": {
    "platform": "darwin",
    "arch": "arm64",
    "version": "Darwin Kernel Version 25.0.0: Wed Sep 17 21:41:50 PDT 2025; root:xnu-12377.1.9~141/RELEASE_ARM64_T6030",
    "release": "25.0.0",
    "cpuCount": 11,
    "cpuModel": "Apple M3 Pro",
    "totalMemory": "18.00 GB",
    "freeMemory": "0.39 GB"
  },
  "node": {
    "version": "v22.20.0",
    "env": "development"
  },
  "packageManager": {
    "name": "npm",
    "version": "10.9.3"
  },
  "frameworks": [
    {
      "name": "next",
      "version": "16.0.1"
    },
    {
      "name": "react",
      "version": "19.2.0"
    }
  ],
  "databases": [
    {
      "name": "pg",
      "version": "^8.16.3"
    },
    {
      "name": "@prisma/client",
      "version": "^6.19.0"
    }
  ],
  "betterAuth": {
    "version": "^1.3.34",
    "config": {
      "emailAndPassword": {
        "enabled": true,
        "requireEmailVerification": false,
        "sendOnSignUp": false
      },
      "user": {
        "changeEmail": {
          "enabled": true
        }
      },
      "emailVerification": {},
      "socialProviders": {
        "google": {
          "clientId": "[REDACTED]",
          "clientSecret": "[REDACTED]"
        }
      },
      "plugins": [
        {
          "name": "next-cookies",
          "config": {
            "id": "next-cookies",
            "hooks": {
              "after": [
                {}
              ]
            }
          }
        }
      ]
    }
  }
}

Which area(s) are affected? (Select all that apply)

Client

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

No response

Originally created by @Romflz on GitHub (Nov 9, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/5875 Originally assigned to: @Paola3stefania on GitHub. ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce To recreate: 1. Initialize new Next16 project 2. Configure better auth with nextjs as per better auth docs. Create better auth client with createAuthClient() 3. Log user client session in the console 4. Initialize login of user A via a server action 5. Log user A out via a server action 6. Log user B in via a server action 7. Client session will log user A session ### Current vs. Expected behavior Expected behavior: Client user session refresh after new user logins in Current behavior: Client session still has previous session ### What version of Better Auth are you using? 1.3.34 ### System info ```bash { "system": { "platform": "darwin", "arch": "arm64", "version": "Darwin Kernel Version 25.0.0: Wed Sep 17 21:41:50 PDT 2025; root:xnu-12377.1.9~141/RELEASE_ARM64_T6030", "release": "25.0.0", "cpuCount": 11, "cpuModel": "Apple M3 Pro", "totalMemory": "18.00 GB", "freeMemory": "0.39 GB" }, "node": { "version": "v22.20.0", "env": "development" }, "packageManager": { "name": "npm", "version": "10.9.3" }, "frameworks": [ { "name": "next", "version": "16.0.1" }, { "name": "react", "version": "19.2.0" } ], "databases": [ { "name": "pg", "version": "^8.16.3" }, { "name": "@prisma/client", "version": "^6.19.0" } ], "betterAuth": { "version": "^1.3.34", "config": { "emailAndPassword": { "enabled": true, "requireEmailVerification": false, "sendOnSignUp": false }, "user": { "changeEmail": { "enabled": true } }, "emailVerification": {}, "socialProviders": { "google": { "clientId": "[REDACTED]", "clientSecret": "[REDACTED]" } }, "plugins": [ { "name": "next-cookies", "config": { "id": "next-cookies", "hooks": { "after": [ {} ] } } } ] } } } ``` ### Which area(s) are affected? (Select all that apply) Client ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, }); ``` ### Additional context _No response_
GiteaMirror added the platformcorelockedbug labels 2026-04-13 06:28:04 -05:00
GiteaMirror commented 2026-04-13 06:28:07 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Nov 9, 2025):

Hi @Romflz! I'm Dosu and I’m helping the better-auth team.

This is a known limitation with Better Auth and Next.js: after server actions like login/logout, the client session (from useSession or createAuthClient) does not automatically update, so you see stale session data until a manual refresh or refetch. This happens because server actions update cookies and session state on the server, but the client-side hooks aren't notified and don't refetch the session unless triggered explicitly. Social logins work because they cause a full page reload, which naturally refreshes the session state reference.

To work around this, you can trigger a client-side session refresh after server actions. For example, after a server action completes, call the refetch method from the useSession hook, or use a client component that calls authClient.getSession() or authClient.useSession() on navigation or after login/logout reference. Some teams place a SessionRefresher component in the root layout to keep the session in sync:

'use client';
import { authClient } from '@/lib/auth-client';

export function SessionRefresher() {
  authClient.useSession();
  return null;
}

You can also trigger a refresh on navigation changes:

'use client';
import { usePathname } from 'next/navigation';
import { useEffect } from 'react';
import { authClient } from '@/lib/auth-client';

export function SessionRefresher() {
  const pathname = usePathname();
  useEffect(() => {
    authClient.getSession();
  }, [pathname]);
  return null;
}

If you want to avoid manual refreshes, consider polling or refetching the session on tab focus or visibility change. There is no built-in push mechanism from server to client in Better Auth yet, but recent updates have added session refresh managers that help keep the session in sync across tabs and browser events reference.

If you use custom cookie settings, make sure cookies are set with the correct domain, path, and secure flags, and that you aren't using partitioned cookies unless required reference.

Let me know if you need a more specific code example for your flow!

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3508684751 --> @dosubot[bot] commented on GitHub (Nov 9, 2025): <!-- Greeting --> Hi @Romflz! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team. <!-- Answer --> This is a known limitation with Better Auth and Next.js: after server actions like login/logout, the client session (from `useSession` or `createAuthClient`) does not automatically update, so you see stale session data until a manual refresh or refetch. This happens because server actions update cookies and session state on the server, but the client-side hooks aren't notified and don't refetch the session unless triggered explicitly. Social logins work because they cause a full page reload, which naturally refreshes the session state [reference](https://github.com/better-auth/better-auth/issues/3608). To work around this, you can trigger a client-side session refresh after server actions. For example, after a server action completes, call the `refetch` method from the `useSession` hook, or use a client component that calls `authClient.getSession()` or `authClient.useSession()` on navigation or after login/logout [reference](https://github.com/better-auth/better-auth/issues/2115). Some teams place a `SessionRefresher` component in the root layout to keep the session in sync: ```tsx 'use client'; import { authClient } from '@/lib/auth-client'; export function SessionRefresher() { authClient.useSession(); return null; } ``` You can also trigger a refresh on navigation changes: ```tsx 'use client'; import { usePathname } from 'next/navigation'; import { useEffect } from 'react'; import { authClient } from '@/lib/auth-client'; export function SessionRefresher() { const pathname = usePathname(); useEffect(() => { authClient.getSession(); }, [pathname]); return null; } ``` If you want to avoid manual refreshes, consider polling or refetching the session on tab focus or visibility change. There is no built-in push mechanism from server to client in Better Auth yet, but recent updates have added session refresh managers that help keep the session in sync across tabs and browser events [reference](https://github.com/better-auth/better-auth/pull/5630). If you use custom cookie settings, make sure cookies are set with the correct domain, path, and secure flags, and that you aren't using partitioned cookies unless required [reference](https://github.com/better-auth/better-auth/issues/3267). Let me know if you need a more specific code example for your flow! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/6b46e04e-9c69-4531-b6a4-bf0a4c51f097?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/6b46e04e-9c69-4531-b6a4-bf0a4c51f097?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/6b46e04e-9c69-4531-b6a4-bf0a4c51f097?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/6b46e04e-9c69-4531-b6a4-bf0a4c51f097?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/6b46e04e-9c69-4531-b6a4-bf0a4c51f097?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/6b46e04e-9c69-4531-b6a4-bf0a4c51f097?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/6b46e04e-9c69-4531-b6a4-bf0a4c51f097?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/5875)
GiteaMirror commented 2026-04-13 06:28:07 -05:00
Author
Owner
Copy Link

@rufique commented on GitHub (Nov 13, 2025):

Well, my case is different, after logout, or even a fresh login on a different browser, i get the wrong session, although sometimes it is correct, it is unpredictable. My logout method is removing the cookie on the client, however get_session on the client returns the old cookie even if the user has changed

"use client";
import { usePathname } from "next/navigation";
import { useEffect, useRef } from "react";
import { authClient } from "~/lib/auth-client";

export function SessionRefresher() {
  const pathname = usePathname();
  const lastPathRef = useRef(pathname);

  useEffect(() => {
    // Force refresh session when pathname changes
    if (pathname !== lastPathRef.current) {
      lastPathRef.current = pathname;
      authClient.getSession({
        fetchOptions: {
          cache: "no-cache"
        }
      });
    }
  }, [pathname]);

  useEffect(() => {
    // Initial session fetch on mount with cache bypass
    authClient.getSession({
      fetchOptions: {
        cache: "no-cache"
      }
    });

    // Refresh session when tab becomes visible again
    const handleVisibilityChange = () => {
      if (document.visibilityState === "visible") {
        authClient.getSession({
          fetchOptions: {
            cache: "no-cache"
          }
        });
      }
    };

    // Refresh session when window regains focus
    const handleFocus = () => {
      authClient.getSession({
        fetchOptions: {
          cache: "no-cache"
        }
      });
    };

    document.addEventListener("visibilitychange", handleVisibilityChange);
    window.addEventListener("focus", handleFocus);

    return () => {
      document.removeEventListener("visibilitychange", handleVisibilityChange);
      window.removeEventListener("focus", handleFocus);
    };
  }, []);

  return null;
}

I have added this method, but the issue is persitent

<!-- gh-comment-id:3526183705 --> @rufique commented on GitHub (Nov 13, 2025): Well, my case is different, after logout, or even a fresh login on a different browser, i get the wrong session, although sometimes it is correct, it is unpredictable. My logout method is removing the cookie on the client, however get_session on the client returns the old cookie even if the user has changed ``` "use client"; import { usePathname } from "next/navigation"; import { useEffect, useRef } from "react"; import { authClient } from "~/lib/auth-client"; export function SessionRefresher() { const pathname = usePathname(); const lastPathRef = useRef(pathname); useEffect(() => { // Force refresh session when pathname changes if (pathname !== lastPathRef.current) { lastPathRef.current = pathname; authClient.getSession({ fetchOptions: { cache: "no-cache" } }); } }, [pathname]); useEffect(() => { // Initial session fetch on mount with cache bypass authClient.getSession({ fetchOptions: { cache: "no-cache" } }); // Refresh session when tab becomes visible again const handleVisibilityChange = () => { if (document.visibilityState === "visible") { authClient.getSession({ fetchOptions: { cache: "no-cache" } }); } }; // Refresh session when window regains focus const handleFocus = () => { authClient.getSession({ fetchOptions: { cache: "no-cache" } }); }; document.addEventListener("visibilitychange", handleVisibilityChange); window.addEventListener("focus", handleFocus); return () => { document.removeEventListener("visibilitychange", handleVisibilityChange); window.removeEventListener("focus", handleFocus); }; }, []); return null; } ``` I have added this method, but the issue is persitent
GiteaMirror commented 2026-04-13 06:28:08 -05:00
Author
Owner
Copy Link

@Romflz commented on GitHub (Nov 13, 2025):

What I did to bypass the issue is create a SessionRefresher.tsx component that sits at my layout. As how the bot suggested. This is the code:

'use client'
import { useEffect } from 'react'
import { authClient } from '@/lib/auth-client'

export default function SessionFocusSync() {
  const { refetch } = authClient.useSession()
  useEffect(() => {
    const onFocus = () => refetch()
    window.addEventListener('focus', onFocus)
    return () => window.removeEventListener('focus', onFocus)
  }, [refetch])
  return null
}

Not sure if this is 100% correct way, but it seems to work in my case. (In fact, after creating an after hook in the auth, as per docs https://www.better-auth.com/docs/concepts/hooks, I noticed that the refresh session calls the get-session, which is good)

I also converted my login and register to use the client api instead of server actions due to this issue and also when reading the docs:
Server-side requests made using auth.api aren't affected by rate limiting. Rate limits only apply to client-initiated requests. states that rate limiting only works on client api.

I have also encountered a bug where when a user has a session saved, and you delete the said user from the db, the client does not know what to do, so if you have middleware that checks the cookie, make sure it also checks if its valid and removes it if its not. As the server does not remove it automatically. (Need to fully test this later, as its been hit or miss)

<!-- gh-comment-id:3526252224 --> @Romflz commented on GitHub (Nov 13, 2025): What I did to bypass the issue is create a SessionRefresher.tsx component that sits at my layout. As how the bot suggested. This is the code: ``` 'use client' import { useEffect } from 'react' import { authClient } from '@/lib/auth-client' export default function SessionFocusSync() { const { refetch } = authClient.useSession() useEffect(() => { const onFocus = () => refetch() window.addEventListener('focus', onFocus) return () => window.removeEventListener('focus', onFocus) }, [refetch]) return null } ``` Not sure if this is 100% correct way, but it seems to work in my case. (In fact, after creating an after hook in the auth, as per docs https://www.better-auth.com/docs/concepts/hooks, I noticed that the refresh session calls the get-session, which is good) I also converted my login and register to use the client api instead of server actions due to this issue and also when reading the docs: `Server-side requests made using auth.api aren't affected by rate limiting. Rate limits only apply to client-initiated requests. ` states that rate limiting only works on client api. I have also encountered a bug where when a user has a session saved, and you delete the said user from the db, the client does not know what to do, so if you have middleware that checks the cookie, make sure it also checks if its valid and removes it if its not. As the server does not remove it automatically. (Need to fully test this later, as its been hit or miss)
GiteaMirror commented 2026-04-13 06:28:08 -05:00
Author
Owner
Copy Link

@Paola3stefania commented on GitHub (Jan 9, 2026):

@Romflz you still have this issue with latest version?

<!-- gh-comment-id:3730660002 --> @Paola3stefania commented on GitHub (Jan 9, 2026): @Romflz you still have this issue with latest version?
GiteaMirror commented 2026-04-13 06:28:09 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Mar 27, 2026):

closing as stale

<!-- gh-comment-id:4142153048 --> @ping-maxwell commented on GitHub (Mar 27, 2026): closing as stale
GiteaMirror commented 2026-04-13 06:28:10 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Apr 4, 2026):

This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

<!-- gh-comment-id:4185771228 --> @github-actions[bot] commented on GitHub (Apr 4, 2026): This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label bug core locked platform
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#10368
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?