[GH-ISSUE #1862] ctx.setCookie is not called in auth.api.getSession in v1.2.4 #8951

New Issue

GiteaMirror · 2026-04-13T04:11:53-05:00

GiteaMirror commented

2026-04-13 04:11:53 -05:00

Originally created by @tedlex on GitHub (Mar 18, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/1862

Is this suited for github?

Yes, this is suited for github

To Reproduce

The example is a middleware in expressJS.

It calls auth.api.getSession(ctx). Method setCookie is defined in ctx.

export const sessionMW = async (
  req: Request,
  res: Response,
  next: Function
) => {
  const ctx = {
    headers: fromNodeHeaders(req.headers),
    setCookie: (name: string, data: string, options: any) => {
      console.log(`Setting cookie: ${name}`);
      res.cookie(name, data, {
        ...options,
        maxAge: config.sessionCache_maxAge * 1000, // 5 minutes
      });
    },
  };
  
  const session = await auth.api.getSession(ctx);

  if (!session) {
    return res.status(401).json({ error: "Unauthorized: Invalid session" });
  }

  req.session = session;
  next();
};

Current vs. Expected behavior

ctx.setCookie is expected to be called when cookieCache is enabled and no cache found in request header. The goal is to refresh the cache cookie when it is expired.

You can reproduce it by deleteing the session_data cookie in browser.

It works as expected in v1.1.21

But it doesn't work in v1.2.4. No log information is printed and cache cookie is not set. It seems that ctx.setCookie is not called.

What version of Better Auth are you using?

1.2.4

Provide environment information

- OS: MACOS 15.3.2 
- browser: chrome

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  database: drizzleAdapter(db, {
    provider: "pg",
    schema: schema,
  }),
  emailAndPassword: {
    enabled: true,
    requireEmailVerification: true,
  },
  session: {
    cookieCache: {
      enabled: true,
      maxAge: config.sessionCache_maxAge, // Cache duration in seconds
    },
  },

Additional context

No response

Originally created by @tedlex on GitHub (Mar 18, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/1862 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce The example is a middleware in expressJS. It calls `auth.api.getSession(ctx)`. Method `setCookie` is defined in ctx. ```typescript export const sessionMW = async ( req: Request, res: Response, next: Function ) => { const ctx = { headers: fromNodeHeaders(req.headers), setCookie: (name: string, data: string, options: any) => { console.log(`Setting cookie: ${name}`); res.cookie(name, data, { ...options, maxAge: config.sessionCache_maxAge * 1000, // 5 minutes }); }, }; const session = await auth.api.getSession(ctx); if (!session) { return res.status(401).json({ error: "Unauthorized: Invalid session" }); } req.session = session; next(); }; ``` ### Current vs. Expected behavior `ctx.setCookie` is expected to be called when cookieCache is enabled and no cache found in request header. The goal is to refresh the cache cookie when it is expired. You can reproduce it by deleteing the session_data cookie in browser. It works as expected in v1.1.21 But it doesn't work in v1.2.4. No log information is printed and cache cookie is not set. It seems that ctx.setCookie is not called. ### What version of Better Auth are you using? 1.2.4 ### Provide environment information ```bash - OS: MACOS 15.3.2 - browser: chrome ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ database: drizzleAdapter(db, { provider: "pg", schema: schema, }), emailAndPassword: { enabled: true, requireEmailVerification: true, }, session: { cookieCache: { enabled: true, maxAge: config.sessionCache_maxAge, // Cache duration in seconds }, }, ``` ### Additional context _No response_

GiteaMirror added the locked bug labels 2026-04-13 04:11:53 -05:00

GiteaMirror closed this issue

2026-04-13 04:11:54 -05:00

GiteaMirror commented

2026-04-13 04:11:55 -05:00

@Muhamed-Ragab commented on GitHub (Mar 19, 2025):

This an example of my authentication middleware you can check it, this is working well with me, if your cookies are not working well you can try to build a plugin or use hooks inside better-auth

import { auth } from "@/core/better-auth/auth";
import { fromNodeHeaders } from "better-auth/node";
import type { RequestHandler } from "express";
import { ReasonPhrases, StatusCodes } from "HTTP-status-codes";

export const authenticate middleware: RequestHandler = async (
  req,
  res,
  next,
) => {
  const session = await auth.api.getSession({
    headers: fromNodeHeaders(req.headers),
  });

  if (!session) {
    res.status(StatusCodes.UNAUTHORIZED).json({
      message: "You are not authenticated",
      code: ReasonPhrases.UNAUTHORIZED,
    });
    return;
  }

  req.session = session.session;
  req.user = session.user;

  next();
};

@Muhamed-Ragab commented on GitHub (Mar 19, 2025): This an example of my authentication middleware you can check it, this is working well with me, if your cookies are not working well you can try to build a plugin or use hooks inside **better-auth** ```ts import { auth } from "@/core/better-auth/auth"; import { fromNodeHeaders } from "better-auth/node"; import type { RequestHandler } from "express"; import { ReasonPhrases, StatusCodes } from "HTTP-status-codes"; export const authenticate middleware: RequestHandler = async ( req, res, next, ) => { const session = await auth.api.getSession({ headers: fromNodeHeaders(req.headers), }); if (!session) { res.status(StatusCodes.UNAUTHORIZED).json({ message: "You are not authenticated", code: ReasonPhrases.UNAUTHORIZED, }); return; } req.session = session.session; req.user = session.user; next(); }; ```

GiteaMirror commented

2026-04-13 04:11:55 -05:00

@tedlex commented on GitHub (Mar 19, 2025):

@Muhamed-Ragab Thanks for the example. But how do you refresh your session cache cookie in this middleware after it expired? auth.api.getSession can't do this because it only returns session. There is no way to pass res.cookie to it.

@tedlex commented on GitHub (Mar 19, 2025): @Muhamed-Ragab Thanks for the example. But how do you refresh your session cache cookie in this middleware after it expired? `auth.api.getSession` can't do this because it only returns session. There is no way to pass `res.cookie` to it.

GiteaMirror commented

2026-04-13 04:11:56 -05:00

@Muhamed-Ragab commented on GitHub (Mar 19, 2025):

@Muhamed-Ragab Thanks for the example. But how do you refresh your session cache cookie in this middleware after it expired? auth.api.getSession can't do this because it only returns session. There is no way to pass res.cookie to it.

You can look at this: https://www.better-auth.com/docs/concepts/session-management#session-expiration

@Muhamed-Ragab commented on GitHub (Mar 19, 2025): > [@Muhamed-Ragab](https://github.com/Muhamed-Ragab) Thanks for the example. But how do you refresh your session cache cookie in this middleware after it expired? `auth.api.getSession` can't do this because it only returns session. There is no way to pass `res.cookie` to it. You can look at this: https://www.better-auth.com/docs/concepts/session-management#session-expiration

GiteaMirror commented

2026-04-13 04:11:56 -05:00

@tedlex commented on GitHub (Mar 19, 2025):

@Muhamed-Ragab It doesn't have information about how to refresh cache. If you call getSession at client side, it will refresh the cache cookie. But if you call getSession at server side, like in the middleware, it only returns the session value, but will not set cookie even though the cache has expired. In v1.1.21 you can define setCookie in ctx and pass it into getSession, but this doesn't work any more in v1.2.4

@tedlex commented on GitHub (Mar 19, 2025): @Muhamed-Ragab It doesn't have information about how to refresh cache. If you call `getSession` at client side, it will refresh the cache cookie. But if you call `getSession` at server side, like in the middleware, it only returns the session value, but will not set cookie even though the cache has expired. In v1.1.21 you can define `setCookie` in ctx and pass it into `getSession`, but this doesn't work any more in v1.2.4

GiteaMirror commented

2026-04-13 04:11:57 -05:00

@ErikPetersenDev commented on GitHub (Mar 19, 2025):

I'm running into the same problem with TanStack Start. Discussed in Discord here: https://discord.com/channels/1288403910284935179/1341250530982363158

As in your case, it was working in 1.1.21 but doesn't work after 1.2.0 due to the way the provided context is merged. The BA code now appears to make a special exception for "headers" but everything else is overwritten. So ctx.setCookie is technically being called inside setCookieCache (when called from getSession), but it's the default one that doesn't work server-side from our frameworks (Express, TanStack Start).

@ErikPetersenDev commented on GitHub (Mar 19, 2025): I'm running into the same problem with TanStack Start. Discussed in Discord here: https://discord.com/channels/1288403910284935179/1341250530982363158 As in your case, it was working in 1.1.21 but doesn't work after 1.2.0 due to the way the provided context is merged. The BA code now appears to make a special exception for "headers" but everything else is overwritten. So `ctx.setCookie` is technically being called inside `setCookieCache` (when called from `getSession`), but it's the default one that doesn't work server-side from our frameworks (Express, TanStack Start).

GiteaMirror commented

2026-04-13 04:11:58 -05:00

@tedlex commented on GitHub (Mar 21, 2025):

@ErikPetersenDev Thanks. I am using v1.1.21 now. I think periodically call getSession at client side could make it work in v1.2 to refresh the cache. But I hope there will be a standard way to do this at server side.

@tedlex commented on GitHub (Mar 21, 2025): @ErikPetersenDev Thanks. I am using v1.1.21 now. I think periodically call getSession at client side could make it work in v1.2 to refresh the cache. But I hope there will be a standard way to do this at server side.

GiteaMirror commented

2026-04-13 04:11:58 -05:00

@ErikPetersenDev commented on GitHub (Mar 21, 2025):

periodically call getSession at client side could make it work in v1.2

@tedlex Yeah, this is what I'm doing for now. I already use React Query in the client, so my other backend fetches were previously (pre-1.2) more than enough to keep the session refreshed. The only difference now is that I have to have a separate fetch to getSession to keep that refreshed.

The other option, which I did at one point in the Discord thread, is to replicate setCookieCache in your own code, and set the cookie if it isn't present and the session is valid. That works, but it's also fragile since if anything changes in the Better Auth library your cookie could become incompatible (e.g., the cookie cache signature changed in 1.1.20 which would have broken any copies).

@ErikPetersenDev commented on GitHub (Mar 21, 2025): > periodically call getSession at client side could make it work in v1.2 @tedlex Yeah, this is what I'm doing for now. I already use React Query in the client, so my other backend fetches were previously (pre-1.2) more than enough to keep the session refreshed. The only difference now is that I have to have a separate fetch to getSession to keep that refreshed. The other option, which I did at one point in the Discord thread, is to replicate `setCookieCache` in your own code, and set the cookie if it isn't present and the session is valid. That works, but it's also fragile since if anything changes in the Better Auth library your cookie could become incompatible (e.g., the cookie cache signature changed in 1.1.20 which would have broken any copies).

GiteaMirror commented

2026-04-13 04:11:59 -05:00

@dennisjnnh commented on GitHub (Apr 3, 2025):

i have noticed another issue with the set-cookie header when using useSession() and the customSession plugin, but i'm not sure if this is related here. #2106

@dennisjnnh commented on GitHub (Apr 3, 2025): i have noticed another issue with the set-cookie header when using useSession() and the customSession plugin, but i'm not sure if this is related here. #2106

GiteaMirror commented

2026-04-13 04:11:59 -05:00

@Kinfe123 commented on GitHub (May 3, 2025):

is this still an issue @tedlex

@Kinfe123 commented on GitHub (May 3, 2025): is this still an issue @tedlex

GiteaMirror commented

2026-04-13 04:12:00 -05:00

@agondigital-in commented on GitHub (Oct 5, 2025):

its may work for you

// src/middlewares/authenticate.middleware.ts
import type { NextFunction, Request, Response } from "express";
import { auth } from "@/lib/auth";

// Middleware to check if user is authenticated
export const authenticate = async (
req: Request,
res: Response,
next: NextFunction,
) => {
try {
const headers = new Headers();
if (req.headers.cookie) {
headers.set("cookie", req.headers.cookie);
}
const session = await auth.api.getSession({
headers,
});

	if (!session || !session.user) {
		return res.status(401).json({
			status: "error",
			message: "Unauthorized - Please login",
		});
	}

	// Attach user and session to request
	req.user = session.user;
	req.session = session.session;

	next();
} catch (error) {
	return res.status(401).json({
		status: "error",
		message: "Authentication failed",
	});
}

};

// Optional: Middleware to attach user if available (doesn't block if not authenticated)
export const optionalAuth = async (
req: Request,
res: Response,
next: NextFunction,
) => {
try {
const headers = new Headers();
if (req.headers.cookie) {
headers.set("cookie", req.headers.cookie);
}
const session = await auth.api.getSession({
headers,
});

	req.user = session?.user || null;
	req.session = session?.session || null;

	next();
} catch (error) {
	req.user = null;
	req.session = null;
	next();
}

};

@agondigital-in commented on GitHub (Oct 5, 2025): its may work for you // src/middlewares/authenticate.middleware.ts import type { NextFunction, Request, Response } from "express"; import { auth } from "@/lib/auth"; // Middleware to check if user is authenticated export const authenticate = async ( req: Request, res: Response, next: NextFunction, ) => { try { const headers = new Headers(); if (req.headers.cookie) { headers.set("cookie", req.headers.cookie); } const session = await auth.api.getSession({ headers, }); if (!session || !session.user) { return res.status(401).json({ status: "error", message: "Unauthorized - Please login", }); } // Attach user and session to request req.user = session.user; req.session = session.session; next(); } catch (error) { return res.status(401).json({ status: "error", message: "Authentication failed", }); } }; // Optional: Middleware to attach user if available (doesn't block if not authenticated) export const optionalAuth = async ( req: Request, res: Response, next: NextFunction, ) => { try { const headers = new Headers(); if (req.headers.cookie) { headers.set("cookie", req.headers.cookie); } const session = await auth.api.getSession({ headers, }); req.user = session?.user || null; req.session = session?.session || null; next(); } catch (error) { req.user = null; req.session = null; next(); } };

GiteaMirror referenced this issue

2026-04-13 10:34:55 -05:00

[PR #8951] chore(deps): bump defu from 6.1.4 to 6.1.5 #16567

GiteaMirror referenced this issue

2026-04-15 22:46:23 -05:00

[PR #8951] chore(deps): bump defu from 6.1.4 to 6.1.5 #25221

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#8951

[GH-ISSUE #1862] ctx.setCookie is not called in auth.api.getSession in v1.2.4 #8951

Is this suited for github?

To Reproduce

Current vs. Expected behavior

What version of Better Auth are you using?

Provide environment information

Which area(s) are affected? (Select all that apply)

Auth config (if applicable)

Additional context

[GH-ISSUE #1862] `ctx.setCookie` is not called in `auth.api.getSession` in v1.2.4 #8951