github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #5871] Partitioned cookies in an SPA App results in OAuth state_mismatch error #18996

New Issue
Closed
opened 2026-04-15 17:44:43 -05:00 by GiteaMirror · 13 comments
GiteaMirror commented 2026-04-15 17:44:43 -05:00
Owner
Copy Link

Originally created by @agarwalvaibhav0211 on GitHub (Nov 9, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/5871

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

SPA is hosted at example.com, better-auth at example-2.com. Partitioned has been set in the cookies attributes

  1. Call authClient.signIn.oauth2.
  2. Better-auth redirects to the oauth login.
  3. After login, callback is called.
  4. State cookie is not present since partition is with key example.com, and cookie sent in the redirect requires example-2.com

Current vs. Expected behavior

Should complete login without any issue

What version of Better Auth are you using?

1.3.33

System info

{
  "system": {
    "platform": "linux",
    "arch": "x64",
    "version": "#1 SMP PREEMPT_DYNAMIC Thu Jun  5 18:30:46 UTC 2025",
    "release": "6.6.87.2-microsoft-standard-WSL2",
    "cpuCount": 8,
    "cpuModel": "Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz",
    "totalMemory": "7.70 GB",
    "freeMemory": "0.53 GB"
  },
  "node": {
    "version": "v22.15.0",
    "env": "development"
  },
  "packageManager": {
    "name": "yarn",
    "version": "4.10.3"
  },
  "frameworks": null,
  "databases": null,
  "betterAuth": {
    "version": "Unknown",
    "config": null
  }
}

Which area(s) are affected? (Select all that apply)

Backend, Client

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  defaultCookieAttributes:{
    httpOnly   : true, 
    maxAge     : 50000,
    partitioned: true,
    path       : "/",
    sameSite   : "none",
    secure     : true,
  },
  emailAndPassword: {  
    enabled: true
  },
  trustedOrigins:["https://example.com"],
  plugins:[{
    clientId    : "XXX",
    clientSecret:"XXXX",
    discoveryUrl:"XXXX",
    prompt:"login",
    providerId:"XXXXX"
  }]
});

Additional context

No response

Originally created by @agarwalvaibhav0211 on GitHub (Nov 9, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/5871 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce SPA is hosted at example.com, better-auth at example-2.com. Partitioned has been set in the cookies attributes 1. Call authClient.signIn.oauth2. 2. Better-auth redirects to the oauth login. 3. After login, callback is called. 4. State cookie is not present since partition is with key `example.com`, and cookie sent in the redirect requires `example-2.com` ### Current vs. Expected behavior Should complete login without any issue ### What version of Better Auth are you using? 1.3.33 ### System info ```bash { "system": { "platform": "linux", "arch": "x64", "version": "#1 SMP PREEMPT_DYNAMIC Thu Jun 5 18:30:46 UTC 2025", "release": "6.6.87.2-microsoft-standard-WSL2", "cpuCount": 8, "cpuModel": "Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz", "totalMemory": "7.70 GB", "freeMemory": "0.53 GB" }, "node": { "version": "v22.15.0", "env": "development" }, "packageManager": { "name": "yarn", "version": "4.10.3" }, "frameworks": null, "databases": null, "betterAuth": { "version": "Unknown", "config": null } } ``` ### Which area(s) are affected? (Select all that apply) Backend, Client ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ defaultCookieAttributes:{ httpOnly : true, maxAge : 50000, partitioned: true, path : "/", sameSite : "none", secure : true, }, emailAndPassword: { enabled: true }, trustedOrigins:["https://example.com"], plugins:[{ clientId : "XXX", clientSecret:"XXXX", discoveryUrl:"XXXX", prompt:"login", providerId:"XXXXX" }] }); ``` ### Additional context _No response_
GiteaMirror added the lockedbug labels 2026-04-15 17:44:43 -05:00
GiteaMirror commented 2026-04-15 17:44:44 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 9, 2025):

It appears that the error is happening because the state cookie, which is key to verifying the OAuth flow, is being set with partitioning on a different domain than where the SPA is running. With partitioned cookies, the cookie is stored under a key that’s tied to the specific site it was created on; therefore, when the SPA is hosted on one domain (example.com) and the auth backend on another (example-2.com), the expected state cookie isn’t found on the callback since it isn’t shared across these domains.

Here are some troubleshooting steps you might consider:
• Adjust the cookie configuration to include an explicit domain attribute that spans both your SPA and backend if possible (or use a setup that avoids cross-domain cookie issues).
• Verify that the trusted origins configuration correctly reflects the domains involved in your flow.
• Consider if partitioned cookies are necessary for your setup. In some cases, switching to a less restrictive cookie setting (if security requirements allow) might resolve the state_mismatch issue.

Does this help clarify the situation? Feel free to tag @better-auth-agent if you would like an answer from the Agent.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3508142812 --> @better-auth-agent[bot] commented on GitHub (Nov 9, 2025): It appears that the error is happening because the state cookie, which is key to verifying the OAuth flow, is being set with partitioning on a different domain than where the SPA is running. With partitioned cookies, the cookie is stored under a key that’s tied to the specific site it was created on; therefore, when the SPA is hosted on one domain (example.com) and the auth backend on another (example-2.com), the expected state cookie isn’t found on the callback since it isn’t shared across these domains. Here are some troubleshooting steps you might consider: • Adjust the cookie configuration to include an explicit domain attribute that spans both your SPA and backend if possible (or use a setup that avoids cross-domain cookie issues). • Verify that the trusted origins configuration correctly reflects the domains involved in your flow. • Consider if partitioned cookies are necessary for your setup. In some cases, switching to a less restrictive cookie setting (if security requirements allow) might resolve the state_mismatch issue. Does this help clarify the situation? Feel free to tag @better-auth-agent if you would like an answer from the Agent. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-15 17:44:45 -05:00
Author
Owner
Copy Link

@agarwalvaibhav0211 commented on GitHub (Nov 9, 2025):

@better-auth-agent it's a multi tenanted saas setup, so we cannot use a domain spanning both SPA and Backend.
The trusted Origins setup is configured correctly.
We are using Partitioned cookies, since Third party cookies are being phased out, and con already not be used in Incognito modes and Firefox, and other use cases as well

<!-- gh-comment-id:3508190528 --> @agarwalvaibhav0211 commented on GitHub (Nov 9, 2025): @better-auth-agent it's a multi tenanted saas setup, so we cannot use a domain spanning both SPA and Backend. The trusted Origins setup is configured correctly. We are using Partitioned cookies, since Third party cookies are being phased out, and con already not be used in Incognito modes and Firefox, and other use cases as well
GiteaMirror commented 2026-04-15 17:44:45 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 9, 2025):

Thanks for reporting this. The issue appears to be that the OAuth state cookie is set with a partitioned attribute on your backend domain, so when your SPA on a different domain (via trustedOrigins) handles the callback, the state cookie isn’t sent with the request—resulting in a state_mismatch error. Here are some next steps to troubleshoot this:

• Confirm that the cookie settings (such as domain and partitioned flag) match the domain from which you are expecting the cookie. In a multi-tenant setup where the SPA and backend are on different domains, the partitioning may prevent the state cookie from being available in the redirect request. [1]

• Consider whether you can adjust the cookie attributes just for the OAuth flow. For example, you might try removing the “partitioned: true” option for the state cookie or customizing the domain attribute so that both the SPA and backend share the same cookie context during the redirect.

• If changing the cookie’s domain isn’t feasible, you might need to explore alternative methods (e.g. storing the state parameter in browser storage temporarily) to ensure that the state persists across domains during the OAuth flow.

• Double-check that trustedOrigins is correctly configured and that no additional security settings (like strict sameSite policies) are interfering with the cookie transmission.

Does this help clarify the potential cause and next steps? Tag @better-auth-agent if you would like an answer from the Agent.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3508193603 --> @better-auth-agent[bot] commented on GitHub (Nov 9, 2025): Thanks for reporting this. The issue appears to be that the OAuth state cookie is set with a partitioned attribute on your backend domain, so when your SPA on a different domain (via trustedOrigins) handles the callback, the state cookie isn’t sent with the request—resulting in a state_mismatch error. Here are some next steps to troubleshoot this: • Confirm that the cookie settings (such as domain and partitioned flag) match the domain from which you are expecting the cookie. In a multi-tenant setup where the SPA and backend are on different domains, the partitioning may prevent the state cookie from being available in the redirect request. [[1]](https://github.com/better-auth/better-auth/issues/4125) • Consider whether you can adjust the cookie attributes just for the OAuth flow. For example, you might try removing the “partitioned: true” option for the state cookie or customizing the domain attribute so that both the SPA and backend share the same cookie context during the redirect. • If changing the cookie’s domain isn’t feasible, you might need to explore alternative methods (e.g. storing the state parameter in browser storage temporarily) to ensure that the state persists across domains during the OAuth flow. • Double-check that trustedOrigins is correctly configured and that no additional security settings (like strict sameSite policies) are interfering with the cookie transmission. Does this help clarify the potential cause and next steps? Tag @better-auth-agent if you would like an answer from the Agent. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-15 17:44:46 -05:00
Author
Owner
Copy Link

@agarwalvaibhav0211 commented on GitHub (Nov 9, 2025):

@better-auth-agent, we cannot do away with partitioned cookies. Going through the repo, it seems we have a flag skipStateCookieCheck. What are the risks associated with it?

<!-- gh-comment-id:3508213712 --> @agarwalvaibhav0211 commented on GitHub (Nov 9, 2025): @better-auth-agent, we cannot do away with partitioned cookies. Going through the repo, it seems we have a flag skipStateCookieCheck. What are the risks associated with it?
GiteaMirror commented 2026-04-15 17:44:47 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 9, 2025):

Disabling the state cookie check by using skipStateCookieCheck means that the typical security guard—the state cookie used to tie your OAuth request to its callback—is bypassed. This check is designed to prevent CSRF and similar attacks by ensuring that the response is linked to the original authentication request. Without it, there’s an increased risk that an attacker could craft a malicious callback, potentially leading to session hijacking or token substitution attacks. In short, while enabling skipStateCookieCheck might let you work around issues caused by partitioned cookies, it compromises a key part of the OAuth flow’s security.

Does this help clarify the trade-offs for your setup, or would you like to discuss potential alternative solutions? tag @better-auth-agent if you would like an answer from the Agent

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3508214797 --> @better-auth-agent[bot] commented on GitHub (Nov 9, 2025): Disabling the state cookie check by using skipStateCookieCheck means that the typical security guard—the state cookie used to tie your OAuth request to its callback—is bypassed. This check is designed to prevent CSRF and similar attacks by ensuring that the response is linked to the original authentication request. Without it, there’s an increased risk that an attacker could craft a malicious callback, potentially leading to session hijacking or token substitution attacks. In short, while enabling skipStateCookieCheck might let you work around issues caused by partitioned cookies, it compromises a key part of the OAuth flow’s security. Does this help clarify the trade-offs for your setup, or would you like to discuss potential alternative solutions? tag @better-auth-agent if you would like an answer from the Agent <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-15 17:44:48 -05:00
Author
Owner
Copy Link

@agarwalvaibhav0211 commented on GitHub (Nov 9, 2025):

@better-auth-agent, then any other solution? We cannot remove partitioned flag. The Auth Domain and SPA domain needs to be under separate Top Level Domains.

<!-- gh-comment-id:3508303733 --> @agarwalvaibhav0211 commented on GitHub (Nov 9, 2025): @better-auth-agent, then any other solution? We cannot remove partitioned flag. The Auth Domain and SPA domain needs to be under separate Top Level Domains.
GiteaMirror commented 2026-04-15 17:44:48 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 9, 2025):

Based on your report [1], the root of the issue is that the partitioned flag forces Better Auth to bind the OAuth state cookie to the auth domain (example-2.com), which isn’t accessible when your SPA on example.com makes the callback request. Since you can’t remove the partitioned flag and the two domains are on separate TLDs, one workaround is to avoid storing the state solely in a partitioned cookie. Instead, you might try implementing a server‐side state storage mechanism (for example, in a database or in-memory store) that both domains can reference during the OAuth flow. This way, when the callback comes in, the auth service can verify the OAuth state from a shared back‑end instead of relying exclusively on cookies.

Have you considered any alternative shared state methods for your cross‑domain flow? Tag @better-auth-agent if you would like an answer from the Agent.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3508304239 --> @better-auth-agent[bot] commented on GitHub (Nov 9, 2025): Based on your report [[1]](https://github.com/better-auth/better-auth/issues/4125), the root of the issue is that the partitioned flag forces Better Auth to bind the OAuth state cookie to the auth domain (example-2.com), which isn’t accessible when your SPA on example.com makes the callback request. Since you can’t remove the partitioned flag and the two domains are on separate TLDs, one workaround is to avoid storing the state solely in a partitioned cookie. Instead, you might try implementing a server‐side state storage mechanism (for example, in a database or in-memory store) that both domains can reference during the OAuth flow. This way, when the callback comes in, the auth service can verify the OAuth state from a shared back‑end instead of relying exclusively on cookies. Have you considered any alternative shared state methods for your cross‑domain flow? Tag @better-auth-agent if you would like an answer from the Agent. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-15 17:44:49 -05:00
Author
Owner
Copy Link

@agarwalvaibhav0211 commented on GitHub (Nov 11, 2025):

@better-auth-agent, We are thinking of creating a plugin which does the following. Please check and verify if this would stop the CSRF Attack vector which is being handled above, for a cross domain SPA and backend.

  1. We enable skipStateCookieCheck.
  2. We intercept the redirection happening in /callback/:id and /oauth2/callback/:providerId.
  3. We add a short lived token associated with the state value in our DB. We send this token as a query parameter during the redirection. Delete the session newly created, and add the session to be created to the state and token.
  4. The SPA, when navigated to the callback URL, sends the token it recieves to our plugin.
  5. Our Plugin validates the token, and the state value in the cookie, and only creates the session (from the associated data), once both are validated.

This should Stop the CSRF vulnerability by validating the State Cookie at the token validation time

<!-- gh-comment-id:3515398419 --> @agarwalvaibhav0211 commented on GitHub (Nov 11, 2025): @better-auth-agent, We are thinking of creating a plugin which does the following. Please check and verify if this would stop the CSRF Attack vector which is being handled above, for a cross domain SPA and backend. 1. We enable skipStateCookieCheck. 2. We intercept the redirection happening in /callback/:id and /oauth2/callback/:providerId. 3. We add a short lived token associated with the state value in our DB. We send this token as a query parameter during the redirection. Delete the session newly created, and add the session to be created to the state and token. 4. The SPA, when navigated to the callback URL, sends the token it recieves to our plugin. 5. Our Plugin validates the token, and the state value in the cookie, and only creates the session (from the associated data), once both are validated. This should Stop the CSRF vulnerability by validating the State Cookie at the token validation time
GiteaMirror commented 2026-04-15 17:44:49 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 11, 2025):

Your approach of creating a plugin to bypass the default state cookie check by introducing a short-lived token for validation does sound promising. This method can potentially mitigate the CSRF risk in a cross-domain setup where partitioned cookies cause the state cookie to be lost during redirects. Key next steps include:

• Ensuring that the short-lived token is securely stored and coupled with the original state so that it expires quickly and cannot be reused by an attacker.

• Thoroughly testing the process of deleting the pre-created session and then creating a new one only after both the token and state cookie are validated.

• Verifying that bypassing the state cookie check does not open another attack vector, and ensuring all token validations and error handling are rigorous.

Do you have detailed plans for handling edge cases such as race conditions or token mismatches? Tag @better-auth-agent if you would like an answer from the Agent.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3515399347 --> @better-auth-agent[bot] commented on GitHub (Nov 11, 2025): Your approach of creating a plugin to bypass the default state cookie check by introducing a short-lived token for validation does sound promising. This method can potentially mitigate the CSRF risk in a cross-domain setup where partitioned cookies cause the state cookie to be lost during redirects. Key next steps include: • Ensuring that the short-lived token is securely stored and coupled with the original state so that it expires quickly and cannot be reused by an attacker. • Thoroughly testing the process of deleting the pre-created session and then creating a new one only after both the token and state cookie are validated. • Verifying that bypassing the state cookie check does not open another attack vector, and ensuring all token validations and error handling are rigorous. Do you have detailed plans for handling edge cases such as race conditions or token mismatches? Tag @better-auth-agent if you would like an answer from the Agent. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-15 17:44:50 -05:00
Author
Owner
Copy Link

@agarwalvaibhav0211 commented on GitHub (Nov 11, 2025):

@better-auth-agent, can you tag a maintainer to check if this is something viable to be added as a plugin/core to the better-auth repo itself, or would this work better as a private plugin?

<!-- gh-comment-id:3515407364 --> @agarwalvaibhav0211 commented on GitHub (Nov 11, 2025): @better-auth-agent, can you tag a maintainer to check if this is something viable to be added as a plugin/core to the better-auth repo itself, or would this work better as a private plugin?
GiteaMirror commented 2026-04-15 17:44:51 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 11, 2025):

Thanks for reporting the issue! It appears that when using partitioned cookies, the state cookie used in the OAuth flow is being set on a domain (example-2.com) that isn’t accessible by your SPA (example.com), which results in the state_mismatch error. One approach you might consider is either adjusting the cookie settings to use compatible domains or, if keeping partitioned cookies is required, managing the state outside of the default cookie mechanism (e.g., via a custom plugin) so that the state remains available across your domains [1].

At this point, it’s not clear whether incorporating such logic into the core framework would be the best option or if a private plugin would be more suitable. I recommend tagging a maintainer to get further insight—specifically, you might want to ask if they have plans to support this scenario natively or if they advise building a custom solution.

tag @better-auth-agent if you would like an answer from the Agent.

Could you share any additional context regarding how the domains interact or any security constraints you must adhere to?

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3515408180 --> @better-auth-agent[bot] commented on GitHub (Nov 11, 2025): Thanks for reporting the issue! It appears that when using partitioned cookies, the state cookie used in the OAuth flow is being set on a domain (example-2.com) that isn’t accessible by your SPA (example.com), which results in the state_mismatch error. One approach you might consider is either adjusting the cookie settings to use compatible domains or, if keeping partitioned cookies is required, managing the state outside of the default cookie mechanism (e.g., via a custom plugin) so that the state remains available across your domains [[1]](https://github.com/better-auth/better-auth/issues/4125). At this point, it’s not clear whether incorporating such logic into the core framework would be the best option or if a private plugin would be more suitable. I recommend tagging a maintainer to get further insight—specifically, you might want to ask if they have plans to support this scenario natively or if they advise building a custom solution. tag @better-auth-agent if you would like an answer from the Agent. Could you share any additional context regarding how the domains interact or any security constraints you must adhere to? <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-15 17:44:51 -05:00
Author
Owner
Copy Link

@agarwalvaibhav0211 commented on GitHub (Nov 11, 2025):

@ping-maxwell @Bekacru @himself65, what do you guys think? Would you guys be open to merge such a plugin/core functionality to the better-auth repo itself? This should allow better-auth to be used in a cross domain setup, with partitioned cookies(which is increasingly becoming a requirement for cross domain setups).

<!-- gh-comment-id:3515428270 --> @agarwalvaibhav0211 commented on GitHub (Nov 11, 2025): @ping-maxwell @Bekacru @himself65, what do you guys think? Would you guys be open to merge such a plugin/core functionality to the better-auth repo itself? This should allow better-auth to be used in a cross domain setup, with partitioned cookies(which is increasingly becoming a requirement for cross domain setups).
GiteaMirror commented 2026-04-15 17:44:52 -05:00
Author
Owner
Copy Link

@himself65 commented on GitHub (Nov 13, 2025):

It is not possible to share cross-domain cookies. The only solution is to make your website part of the same domain, such as auth.example.com and example.com. Alternatively, you could implement something like OAuth login or JWT login.

Sharing cookies across domains is blocked by the browser for security reasons, so we cannot make that happen

<!-- gh-comment-id:3529783085 --> @himself65 commented on GitHub (Nov 13, 2025): It is not possible to share cross-domain cookies. The only solution is to make your website part of the same domain, such as `auth.example.com` and `example.com`. Alternatively, you could implement something like OAuth login or JWT login. Sharing cookies across domains is blocked by the browser for security reasons, so we cannot make that happen
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label bug locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#18996
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?