[GH-ISSUE #6009] refreshCache #27723

New Issue

GiteaMirror · 2026-04-17T18:53:52-05:00

GiteaMirror commented

2026-04-17 18:53:52 -05:00

Originally created by @ijmozn on GitHub (Nov 15, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/6009

Hi,

my web project is full stack app(hono+nextjs). my betterAuth is in hono but the better authclient is in nextjs.
I am enabling cookieCache to have to have JWE token in cookie to avoid calling getSession on every route in frontend
I works fine until the cookieCache expires in 5 min from login but the cache is not refreshed and got logged out

how can I can refresh the cookieCache in frontend?

// backend/src/lib/auth.ts
export const auth = betterAuth({
    database: drizzleAdapter(db, {
      provider: "pg",
    }),
    secondaryStorage: {
      get: async (key) => await redis.get(key),
      set: async (key, value, ttl) => await redis.set(key, value, "EX", ttl),
      delete: async (key) => await redis.del(key)
  },
    session: {
        cookieCache: {
            enabled: true,
            strategy: "jwe",
            maxAge: 5 * 60,
            refreshCache: true
        }
    }
  ...
});

// frontend/middleware.ts
export default async function middleware(request: NextRequest) {
...
// check session from cache
 const session = await getCookieCache(request, { strategy: "jwe" });
...
}

Originally created by @ijmozn on GitHub (Nov 15, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/6009 Hi, my web project is full stack app(hono+nextjs). my betterAuth is in hono but the better authclient is in nextjs. I am enabling cookieCache to have to have JWE token in cookie to avoid calling `getSession` on every route in frontend I works fine until the cookieCache expires in 5 min from login but the cache is not refreshed and got logged out how can I can refresh the cookieCache in frontend? ``` // backend/src/lib/auth.ts export const auth = betterAuth({ database: drizzleAdapter(db, { provider: "pg", }), secondaryStorage: { get: async (key) => await redis.get(key), set: async (key, value, ttl) => await redis.set(key, value, "EX", ttl), delete: async (key) => await redis.del(key) }, session: { cookieCache: { enabled: true, strategy: "jwe", maxAge: 5 * 60, refreshCache: true } } ... }); ``` ``` // frontend/middleware.ts export default async function middleware(request: NextRequest) { ... // check session from cache const session = await getCookieCache(request, { strategy: "jwe" }); ... } ```

GiteaMirror added the locked label 2026-04-17 18:53:52 -05:00

GiteaMirror closed this issue

2026-04-17 18:53:53 -05:00

GiteaMirror commented

2026-04-17 18:53:55 -05:00

@dosubot[bot] commented on GitHub (Nov 15, 2025):

Hi @ibrahimjel! I'm Dosu and I’m helping the better-auth team.

To keep the cookieCache refreshed and avoid logout after 5 minutes, you need to trigger a session fetch from the frontend that allows the backend to set a new cookie before the cache expires. With recent better-auth versions, setting refreshCache: true (or using the new freshCache option) enables automatic refresh, but only if the client actually calls getSession or a similar endpoint in time for the backend to send a new Set-Cookie header. This does not happen automatically on the frontend unless you implement it.

The recommended approach is to periodically call getSession (for example, using a React Query interval, a useEffect timer, or a custom hook) from the frontend. This fetch should be made in a context where the response's Set-Cookie header is forwarded to the browser—such as a Next.js API route, middleware, or client-side fetch with credentials included. This will refresh the cookieCache and keep the user logged in without requiring a full session fetch on every route. If you want to force a refresh, you can call getSession with disableCookieCache: true to bypass the cache and update the cookie immediately. Make sure your cookie settings use sameSite: 'none' and secure: true for cross-origin requests, and that your frontend correctly forwards and sets cookies from the backend response.

Example:

In a Next.js API route or server action, call your hono backend's getSession endpoint, forward the Set-Cookie header to the client, and trigger this route from the frontend on an interval or when needed.
If using the better-auth React client, use the useSession hook and call refetch() periodically to keep the session fresh.

References:

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Nov 15, 2025):  Hi @ibrahimjel! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team.  To keep the cookieCache refreshed and avoid logout after 5 minutes, you need to trigger a session fetch from the frontend that allows the backend to set a new cookie before the cache expires. With recent better-auth versions, setting refreshCache: true (or using the new freshCache option) enables automatic refresh, but only if the client actually calls getSession or a similar endpoint in time for the backend to send a new Set-Cookie header. This does not happen automatically on the frontend unless you implement it. The recommended approach is to periodically call getSession (for example, using a React Query interval, a useEffect timer, or a custom hook) from the frontend. This fetch should be made in a context where the response's Set-Cookie header is forwarded to the browser—such as a Next.js API route, middleware, or client-side fetch with credentials included. This will refresh the cookieCache and keep the user logged in without requiring a full session fetch on every route. If you want to force a refresh, you can call getSession with disableCookieCache: true to bypass the cache and update the cookie immediately. Make sure your cookie settings use sameSite: 'none' and secure: true for cross-origin requests, and that your frontend correctly forwards and sets cookies from the backend response. Example: - In a Next.js API route or server action, call your hono backend's getSession endpoint, forward the Set-Cookie header to the client, and trigger this route from the frontend on an interval or when needed. - If using the better-auth React client, use the useSession hook and call refetch() periodically to keep the session fresh. References: - [refreshCache and freshCache details, and how automatic refresh works](https://github.com/better-auth/better-auth/pull/5601) - [How to force a refresh with disableCookieCache: true](https://github.com/better-auth/better-auth/issues/1516) - [Why periodic client-side getSession calls are needed](https://github.com/better-auth/better-auth/issues/1862) - [Cross-origin cookie settings and session forwarding](https://github.com/better-auth/better-auth/issues/4188)  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/42e89c45-49dd-4794-8b5f-2dd1d7b51888?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/42e89c45-49dd-4794-8b5f-2dd1d7b51888?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/42e89c45-49dd-4794-8b5f-2dd1d7b51888?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/42e89c45-49dd-4794-8b5f-2dd1d7b51888?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/42e89c45-49dd-4794-8b5f-2dd1d7b51888?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/42e89c45-49dd-4794-8b5f-2dd1d7b51888?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/42e89c45-49dd-4794-8b5f-2dd1d7b51888?feedback_type=other)</sup>  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/6009)

GiteaMirror commented

2026-04-17 18:53:56 -05:00

@ijmozn commented on GitHub (Nov 16, 2025):

when creating an authClient, I set the option refetch session every 5 min, assuming it will call get session but no api call is made to refresh the cache cookie, is is a bug?

export const authClient = createAuthClient({
  baseURL: process.env.NEXT_PUBLIC_API_URL,
  sessionOptions: {
    refetchInterval: 60 * 5, // 5 minutes
  },
  ...

6c9fe209e2/packages/better-auth/src/client/session-refresh.ts (L85-L96)

@ijmozn commented on GitHub (Nov 16, 2025): when creating an authClient, I set the option refetch session every 5 min, assuming it will call get session but no api call is made to refresh the cache cookie, is is a bug? ``` export const authClient = createAuthClient({ baseURL: process.env.NEXT_PUBLIC_API_URL, sessionOptions: { refetchInterval: 60 * 5, // 5 minutes }, ... ``` https://github.com/better-auth/better-auth/blob/6c9fe209e212938c9b624ad718fc43bd6044ad27/packages/better-auth/src/client/session-refresh.ts#L85-L96

GiteaMirror commented

2026-04-17 18:53:57 -05:00

@dosubot[bot] commented on GitHub (Nov 16, 2025):

Setting refetchInterval in createAuthClient does not trigger an API call to refresh the server-side session cookie—it only updates the local session cache. This is intended behavior, not a bug. To actually refresh the cookie and keep the session alive, you need to explicitly call getSession (or useSession().refetch()) from the client in a context where the Set-Cookie header can be set by the backend and received by the browser (like a client component, API route, or middleware) reference.

If you want to keep the cookieCache fresh, set up a timer or use a React hook to periodically call getSession from the frontend. This will ensure the backend can send a new cookie before the cache expires. The refetchInterval option in the client is for local cache polling and does not perform a server round-trip reference.

Let me know if you want an example of how to implement this in your Next.js app!

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Nov 16, 2025):  Setting refetchInterval in createAuthClient does not trigger an API call to refresh the server-side session cookie—it only updates the local session cache. This is intended behavior, not a bug. To actually refresh the cookie and keep the session alive, you need to explicitly call getSession (or useSession().refetch()) from the client in a context where the Set-Cookie header can be set by the backend and received by the browser (like a client component, API route, or middleware) [reference](https://github.com/better-auth/better-auth/issues/2115). If you want to keep the cookieCache fresh, set up a timer or use a React hook to periodically call getSession from the frontend. This will ensure the backend can send a new cookie before the cache expires. The refetchInterval option in the client is for local cache polling and does not perform a server round-trip [reference](https://github.com/better-auth/better-auth/issues/1006). Let me know if you want an example of how to implement this in your Next.js app!  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/f16069c4-8d07-41cf-b143-6f12a3645ae8?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/f16069c4-8d07-41cf-b143-6f12a3645ae8?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/f16069c4-8d07-41cf-b143-6f12a3645ae8?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/f16069c4-8d07-41cf-b143-6f12a3645ae8?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/f16069c4-8d07-41cf-b143-6f12a3645ae8?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/f16069c4-8d07-41cf-b143-6f12a3645ae8?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/f16069c4-8d07-41cf-b143-6f12a3645ae8?feedback_type=other)</sup>  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/6009)

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#27723