github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 14:21:55 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

Multi Session plugin creates multiple cookies for the same account when signing in multipe times. #2348

New Issue
Closed
opened 2026-03-13 09:45:44 -05:00 by GiteaMirror · 6 comments
GiteaMirror commented 2026-03-13 09:45:44 -05:00
Owner
Copy Link

Originally created by @at-channel on GitHub (Nov 22, 2025).

Originally assigned to: @Paola3stefania on GitHub.

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

Enabled the Multi Session plugin. Sign in with the same account multiple times without signing out.

Current vs. Expected behavior

When signing in with the same account multiple times, I would expect the old cookie to be replaced with the new cookie for that one account.

Instead, what happens is a new cookie is created in addition to that same user's old cookie, so the user will end up having multiple cookies just for that same account.

What version of Better Auth are you using?

1.4

System info

{
  "system": {
    "platform": "darwin",
    "arch": "arm64",
    "version": "Darwin Kernel Version 25.1.0: Mon Oct 20 19:34:05 PDT 2025; root:xnu-12377.41.6~2/RELEASE_ARM64_T6041",
    "release": "25.1.0",
    "cpuCount": 12,
    "cpuModel": "Apple M4 Pro",
    "totalMemory": "24.00 GB",
    "freeMemory": "0.75 GB"
  },
  "node": {
    "version": "v24.10.0",
    "env": "development"
  },
  "packageManager": {
    "name": "npm",
    "version": "11.6.0"
  },
  "frameworks": [
    {
      "name": "vue",
      "version": "^3.5.16"
    },
    {
      "name": "nuxt",
      "version": "^4.2.1"
    }
  ],
  "databases": [
    {
      "name": "pg",
      "version": "^8.16.3"
    }
  ],
  "betterAuth": {
    "version": "^1.4.0",
    "config": null
  }
}

Which area(s) are affected? (Select all that apply)

Client

Auth config (if applicable)

Additional context

No response

Originally created by @at-channel on GitHub (Nov 22, 2025). Originally assigned to: @Paola3stefania on GitHub. ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce Enabled the Multi Session plugin. Sign in with the same account multiple times without signing out. ### Current vs. Expected behavior When signing in with the same account multiple times, I would expect the old cookie to be replaced with the new cookie for that one account. Instead, what happens is a new cookie is created in addition to that same user's old cookie, so the user will end up having multiple cookies just for that same account. ### What version of Better Auth are you using? 1.4 ### System info ```bash { "system": { "platform": "darwin", "arch": "arm64", "version": "Darwin Kernel Version 25.1.0: Mon Oct 20 19:34:05 PDT 2025; root:xnu-12377.41.6~2/RELEASE_ARM64_T6041", "release": "25.1.0", "cpuCount": 12, "cpuModel": "Apple M4 Pro", "totalMemory": "24.00 GB", "freeMemory": "0.75 GB" }, "node": { "version": "v24.10.0", "env": "development" }, "packageManager": { "name": "npm", "version": "11.6.0" }, "frameworks": [ { "name": "vue", "version": "^3.5.16" }, { "name": "nuxt", "version": "^4.2.1" } ], "databases": [ { "name": "pg", "version": "^8.16.3" } ], "betterAuth": { "version": "^1.4.0", "config": null } } ``` ### Which area(s) are affected? (Select all that apply) Client ### Auth config (if applicable) ```typescript ``` ### Additional context _No response_
GiteaMirror added the pluginbug labels 2026-03-13 09:45:44 -05:00
GiteaMirror commented 2026-03-13 09:45:45 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 22, 2025):

Hi there, thanks for reporting the issue with the Multi Session plugin. It sounds like the expected behavior is that signing in more than once with the same account should replace the previous session cookie rather than adding a new one. Please check that your configuration does not override the default cookie settings; for instance, custom cookie domains or names might affect the way existing cookies are replaced. Also, verify that your client isn’t caching previous cookies unusually. This behavior might indicate a bug in the Multi Session plugin’s session handling, so confirming your setup and providing any custom cookie configurations could help us diagnose further. Tag @better-auth-agent if you would like an answer from the Agent. Would you be able to share any additional context on your cookie configuration or any middleware that might affect cookie handling?

DiagramDiscordGitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Nov 22, 2025): Hi there, thanks for reporting the issue with the Multi Session plugin. It sounds like the expected behavior is that signing in more than once with the same account should replace the previous session cookie rather than adding a new one. Please check that your configuration does not override the default cookie settings; for instance, custom cookie domains or names might affect the way existing cookies are replaced. Also, verify that your client isn’t caching previous cookies unusually. This behavior might indicate a bug in the Multi Session plugin’s session handling, so confirming your setup and providing any custom cookie configurations could help us diagnose further. Tag @better-auth-agent if you would like an answer from the Agent. Would you be able to share any additional context on your cookie configuration or any middleware that might affect cookie handling? <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 09:45:45 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Nov 22, 2025):

Hi @at-channel! I'm Dosu and I’m helping the better-auth team.

The Multi Session plugin is intentionally designed to allow multiple concurrent sessions per user, which means it creates a separate cookie for each active session instead of replacing the old one. Each session gets its own cookie (named like session_token_multi-{sessionToken}), and this continues until the configurable maximumSessions limit is reached (default is 5) [source]. This behavior is confirmed by both the code and test files, and matches the intended multi-session UX [source].

If you want single-session behavior (where the old cookie is replaced), you should disable the Multi Session plugin or enforce single-session logic with hooks. There is no built-in option to automatically replace the old cookie for the same account when using this plugin [source].

There is also a known bug in the cookie counting logic (off-by-one error) that can affect the number of multi-session cookies created, but the general behavior of multiple cookies per account is by design [source].

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

@dosubot[bot] commented on GitHub (Nov 22, 2025): <!-- Greeting --> Hi @at-channel! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team. <!-- Answer --> The Multi Session plugin is intentionally designed to allow multiple concurrent sessions per user, which means it creates a separate cookie for each active session instead of replacing the old one. Each session gets its own cookie (named like `session_token_multi-{sessionToken}`), and this continues until the configurable `maximumSessions` limit is reached (default is 5) [[source](https://github.com/better-auth/better-auth/blob/9e2b5ce6322e3a36d6a191772fa47389027f5b4e/packages/better-auth/src/plugins/multi-session/index.ts#L16-L357)]. This behavior is confirmed by both the code and test files, and matches the intended multi-session UX [[source](https://github.com/better-auth/better-auth/blob/9e2b5ce6322e3a36d6a191772fa47389027f5b4e/packages/better-auth/src/plugins/multi-session/multi-session.test.ts#L11-L150)]. If you want single-session behavior (where the old cookie is replaced), you should disable the Multi Session plugin or enforce single-session logic with hooks. There is no built-in option to automatically replace the old cookie for the same account when using this plugin [[source](https://github.com/better-auth/better-auth/discussions/5252#discussioncomment-14658649)]. There is also a known bug in the cookie counting logic (off-by-one error) that can affect the number of multi-session cookies created, but the general behavior of multiple cookies per account is by design [[source](https://github.com/better-auth/better-auth/issues/4490#issuecomment-3263232395)]. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/cd57462f-18ae-420f-8ebe-ac4e81e72034?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/cd57462f-18ae-420f-8ebe-ac4e81e72034?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/cd57462f-18ae-420f-8ebe-ac4e81e72034?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/cd57462f-18ae-420f-8ebe-ac4e81e72034?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/cd57462f-18ae-420f-8ebe-ac4e81e72034?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/cd57462f-18ae-420f-8ebe-ac4e81e72034?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/cd57462f-18ae-420f-8ebe-ac4e81e72034?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=The%20Multi%20Session%20plugin%20is%20intentionally%20designed%20to%20allow%20multiple%20concurrent%20sessions%20per%20user%2C%20which%20means%20it%20creates%20a%20separate%20cookie%20for%20each%20active%20session%20instead%20of%20replacing%20the%20old%20one.%20Each%20session%20gets%20its%20own%20cookie%20%28named%20like%20%60session_token_multi-%7BsessionToken%7D%60%29%2C%20and%20this%20continues%20until%20the%20configurable%20%60maximumSessions%60%20limit%20is%20reached%20%28default%20is%205%29%20%5B%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/blob/9e2b5ce6322e3a36d6a191772fa47389027f5b4e/packages/better-auth/src/plugins/multi-session/index.ts%23L16-L357%29%5D.%20This%20behavior%20is%20confirmed%20by%20both%20the%20code%20and%20test%20files%2C%20and%20matches%20the%20intended%20multi-session%20UX%20%5B%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/blob/9e2b5ce6322e3a36d6a191772fa47389027f5b4e/packages/better-auth/src/plugins/multi-session/multi-session.test.ts%23L11-L150%29%5D.%0A%0AIf%20you%20want%20single-session%20behavior%20%28where%20the%20old%20cookie%20is%20replaced%29%2C%20you%20should%20disable%20the%20Multi%20Session%20plugin%20or%20enforce%20single-session%20logic%20with%20hooks.%20There%20is%20no%20built-in%20option%20to%20automatically%20replace%20the%20old%20cookie%20for%20the%20same%20account%20when%20using%20this%20plugin%20%5B%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/discussions/5252%23discussioncomment-14658649%29%5D.%0A%0AThere%20is%20also%20a%20known%20bug%20in%20the%20cookie%20counting%20logic%20%28off-by-one%20error%29%20that%20can%20affect%20the%20number%20of%20multi-session%20cookies%20created%2C%20but%20the%20general%20behavior%20of%20multiple%20cookies%20per%20account%20is%20by%20design%20%5B%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/issues/4490%23issuecomment-3263232395%29%5D.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/6184)
GiteaMirror commented 2026-03-13 09:45:46 -05:00
Author
Owner
Copy Link

@Adityakk9031 commented on GitHub (Nov 23, 2025):

@dosubot can you tell me the possible code part that causing this error

@Adityakk9031 commented on GitHub (Nov 23, 2025): @dosubot can you tell me the possible code part that causing this error
GiteaMirror commented 2026-03-13 09:45:46 -05:00
Author
Owner
Copy Link

@Adityakk9031 commented on GitHub (Nov 25, 2025):

@dosubot please ask anyone to review pr and close this issue

@Adityakk9031 commented on GitHub (Nov 25, 2025): @dosubot please ask anyone to review pr and close this issue
GiteaMirror commented 2026-03-13 09:45:46 -05:00
Author
Owner
Copy Link

@rahultumma-jnext commented on GitHub (Jan 2, 2026):

Any update on this issue.

@rahultumma-jnext commented on GitHub (Jan 2, 2026): Any update on this issue.
GiteaMirror commented 2026-03-13 09:45:47 -05:00
Author
Owner
Copy Link

@bytaesu commented on GitHub (Jan 30, 2026):

  • Closing this as a result of #7256
@bytaesu commented on GitHub (Jan 30, 2026): - Closing this as a result of #7256
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label bug plugin
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#2348
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?