[PR #4572] [MERGED] fix(lastLoginMethod): inherit cross-subdomain cookie settings in lastLoginMethod plugin #22356

New Issue

GiteaMirror · 2026-04-15T20:59:19-05:00

GiteaMirror commented

2026-04-15 20:59:19 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/4572
Author: @lumpinif
Created: 9/10/2025
Status: ✅ Merged
Merged: 9/11/2025
Merged by: @himself65

Base: canary ← Head: fix-last-login-method-cross-subdomain-clean

📝 Commits (2)

54cba38 fix: inherit cross-subdomain cookie settings in lastLoginMethod plugin
9f0887f fix(lastLoginMethod) inherit cross-domain cookie settings in lastLoginMethod plugin

📊 Changes

3 files changed (+249 additions, -6 deletions)

View changed files

📝 docs/content/docs/plugins/last-login-method.mdx (+10 -0)
➕ packages/better-auth/src/plugins/last-login-method/custom-prefix.test.ts (+225 -0)
📝 packages/better-auth/src/plugins/last-login-method/index.ts (+14 -6)

📄 Description

Summary

The lastLoginMethod plugin was using hardcoded cookie attributes, bypassing Better Auth's centralized cookie system. This prevented the plugin from inheriting cross-subdomain cookie settings when crossSubDomainCookies.enabled was true.

Changes

Replace hardcoded cookie attributes with proper inheritance from crossSubDomainCookies configuration
Add comprehensive tests for cross-subdomain functionality with custom prefixes
Update documentation with cross-subdomain usage examples

Test Plan

All existing tests pass
Added 4 new test cases covering:
- Default cookie name with custom prefix
- Custom cookie name with prefix
- Custom cookie name regardless of prefix
- Cross-subdomain functionality with custom prefix
Manual testing of cross-subdomain cookie inheritance

Before/After

Before: The plugin used hardcoded cookie attributes, ignoring global cross-subdomain settings

ctx.setCookie(config.cookieName, lastUsedLoginMethod, {
  maxAge: config.maxAge,
  secure: false,
  httpOnly: false,
  path: "/",
});

After: The plugin inherits cross-subdomain settings from Better Auth configuration
const cookieAttributes = {
  maxAge: config.maxAge,
  secure: false,
  httpOnly: false,
  path: "/",
  // Inherit cross-subdomain domain if enabled
  ...(ctx.context.options.advanced?.crossSubDomainCookies?.enabled
    ? {
        domain:
          ctx.context.options.advanced.crossSubDomainCookies.domain ||
          (ctx.context.options.baseURL
            ? new URL(ctx.context.options.baseURL).hostname
            : undefined),
      }
    : {}),
};

Related Issues

Fixes cross-subdomain cookie inheritance for lastLoginMethod plugin to align with Better Auth's centralized cookie system.

Summary by cubic

Fixes lastLoginMethod to inherit cross-subdomain cookie settings so the last used login method works across subdomains when enabled. Adds tests and docs for custom cookie names/prefixes and domain handling.

Bug Fixes
- Replace hardcoded cookie attributes with values derived from advanced.crossSubDomainCookies.
- Set cookie Domain from configured domain or baseURL hostname when enabled, and respect the exact configured cookieName (not affected by cookiePrefix).

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/4572 **Author:** [@lumpinif](https://github.com/lumpinif) **Created:** 9/10/2025 **Status:** ✅ Merged **Merged:** 9/11/2025 **Merged by:** [@himself65](https://github.com/himself65) **Base:** `canary` ← **Head:** `fix-last-login-method-cross-subdomain-clean` --- ### 📝 Commits (2) - [`54cba38`](https://github.com/better-auth/better-auth/commit/54cba3858714313d2688156ed24030b7c406070a) fix: inherit cross-subdomain cookie settings in lastLoginMethod plugin - [`9f0887f`](https://github.com/better-auth/better-auth/commit/9f0887f9a644582e9680c202ef178b22bf09cb57) fix(lastLoginMethod) inherit cross-domain cookie settings in lastLoginMethod plugin ### 📊 Changes **3 files changed** (+249 additions, -6 deletions) <details> <summary>View changed files</summary> 📝 `docs/content/docs/plugins/last-login-method.mdx` (+10 -0) ➕ `packages/better-auth/src/plugins/last-login-method/custom-prefix.test.ts` (+225 -0) 📝 `packages/better-auth/src/plugins/last-login-method/index.ts` (+14 -6) </details> ### 📄 Description ## Summary The lastLoginMethod plugin was using hardcoded cookie attributes, bypassing Better Auth's centralized cookie system. This prevented the plugin from inheriting cross-subdomain cookie settings when `crossSubDomainCookies.enabled` was true. ## Changes - Replace hardcoded cookie attributes with proper inheritance from `crossSubDomainCookies` configuration - Add comprehensive tests for cross-subdomain functionality with custom prefixes - Update documentation with cross-subdomain usage examples ## Test Plan - [x] All existing tests pass - [x] Added 4 new test cases covering: - Default cookie name with custom prefix - Custom cookie name with prefix - Custom cookie name regardless of prefix - Cross-subdomain functionality with custom prefix - [x] Manual testing of cross-subdomain cookie inheritance ## Before/After **Before:** The plugin used hardcoded cookie attributes, ignoring global cross-subdomain settings ```typescript ctx.setCookie(config.cookieName, lastUsedLoginMethod, { maxAge: config.maxAge, secure: false, httpOnly: false, path: "/", }); After: The plugin inherits cross-subdomain settings from Better Auth configuration const cookieAttributes = { maxAge: config.maxAge, secure: false, httpOnly: false, path: "/", // Inherit cross-subdomain domain if enabled ...(ctx.context.options.advanced?.crossSubDomainCookies?.enabled ? { domain: ctx.context.options.advanced.crossSubDomainCookies.domain || (ctx.context.options.baseURL ? new URL(ctx.context.options.baseURL).hostname : undefined), } : {}), }; ``` Related Issues Fixes cross-subdomain cookie inheritance for lastLoginMethod plugin to align with Better Auth's centralized cookie system.  --- ## Summary by cubic Fixes lastLoginMethod to inherit cross-subdomain cookie settings so the last used login method works across subdomains when enabled. Adds tests and docs for custom cookie names/prefixes and domain handling. - **Bug Fixes** - Replace hardcoded cookie attributes with values derived from advanced.crossSubDomainCookies. - Set cookie Domain from configured domain or baseURL hostname when enabled, and respect the exact configured cookieName (not affected by cookiePrefix).  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-15 20:59:19 -05:00

GiteaMirror closed this issue

2026-04-15 20:59:20 -05:00

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#22356