Question about session cookie cache

[ftmomin]

i have configure my auth as below

export const options = {
	baseURL: process.env.BETTER_AUTH_URL,
	database: drizzleAdapter(db, {
		provider: 'pg',
		schema
	}),
	secret: process.env.BETTER_AUTH_SECRET,
	rateLimit: {
		window: 10,
		max: 30,
	},
	session: {
		additionalFields: {
			activeOrganizationId: {
				type: 'string',
				required: false,
				defaultValue: null,
			},
		},
		cookieCache: {
			enabled: true,
			maxAge: 5 * 60, 
		},
	},
	advanced: {
		useSecureCookies: process.env.NODE_ENV === 'production',
	},
	trustedOrigins: process.env.BETTER_AUTH_TRUSTED_ORIGINS
		? process.env.BETTER_AUTH_TRUSTED_ORIGINS.split(',')
		: [],
	emailAndPassword: {
		enabled: true,
		requireEmailVerification: true,
		sendResetPassword: async ({ user, token }) => {
			await sendPasswordResetEmail({
				userEmail: user.email,
				userName: user.name,
				resetToken: token,
			});
		},
		onPasswordReset: async ({ user }) => {
			await sendPasswordChangedEmail({
				userEmail: user.email,
				userName: user.name,
			});
		},
	},
	emailVerification: {
		sendOnSignUp: true,
		sendVerificationEmail: async ({ user, url }) => {
			await sendVerifyEmail({
				userEmail: user.email,
				userName: user.name,
				url: url,
			});
		},
	},
	user: {
		additionalFields: {
			metadata: {
				type: 'string',
				required: false,
				defaultValue: null,
			},
			userSettings: {
				type: 'json',
				required: false,
			},
		},
	},
	plugins: [
		organization({
			additionalFields: {
				settings: {
					type: 'json',
					required: false,
				},
			},
			ac,
			dynamicAccessControl: {
				enabled: true,
			},
		}),
		nextCookies(),
	],
	databaseHooks: {
		session: {
			create: {
				before: async (session) => {
					const organization = await db.query.member.findMany({
						where: (member, { eq }) => eq(member.userId, session.userId),
						orderBy: (member, { desc }) => desc(member.createdAt),
						columns: {
							organizationId: true,
						},
					});

					if (!organization || organization.length === 0) {
						return {
							data: {
								...session,
								activeOrganizationId: null,
							},
						};
					}

					return {
						data: {
							...session,
							activeOrganizationId:
								organization && organization.length === 1
									? organization[0].organizationId
									: null,
						},
					};
				},
			},
		},
	},
} satisfies BetterAuthOptions;

export const auth = betterAuth({
	...options,
	plugins: [
		...(options.plugins ?? []),
		customSession(async ({ user, session }) => {
			if (
				session.activeOrganizationId === null ||
				session.activeOrganizationId === undefined
			) {
				return {
					user: {
						...user,
						role: 'member' as const satisfies TOrgRoles,
					},
					session,
				};
			}

			const activeOrg = await db.query.member.findFirst({
				where: (member, { eq, and }) =>
					and(
						eq(member.userId, session.userId),
						eq(member.organizationId, session.activeOrganizationId!),
					),
				orderBy: (member, { desc }) => desc(member.createdAt),
				columns: {
					role: true,
				},
			});

			if (!activeOrg) {
				return {
					user: {
						...user,
						role: 'member' as const satisfies TOrgRoles,
					},
					session,
				};
			}

			return {
				user: {
					...user,
					role: activeOrg.role,
				},
				session,
			};
		}, options),
	],
});

fetch session

export const getSessionUser = async (): Promise<TSession | null> => {
	try {
		return await auth.api.getSession({
			headers: await headers(),
		});
	} catch {
		return null;
	}
};

i am using better auth v1.6.5 and nextjs v16.2.4.
my question is, am I doing wrong. becuase my session cookies cache does not refresh. i do see session cookies cache being set when i login. but it does not refresh after maxAge.

[dosubot[bot]]

Hi @ftmomin! I'm Dosu and I’m helping the better-auth team.

Your config looks correct, but there are two things to be aware of:

Cookie cache doesn't self-refresh with a database. Since you have a database configured, Better Auth automatically disables the refreshCache mechanism [1]. The session_data cookie is a read-through cache only — it's set on login, expires after your maxAge (5 minutes), and then subsequent requests fall back to a fresh DB lookup. It's not regenerated automatically after expiry [2]. This is expected behavior for stateful (database-backed) sessions.

customSession + cookieCache has a known bug. When both are used together, multiple Set-Cookie headers get comma-joined into a single header, which can cause the browser to misparse cookie attributes. The session_token cookie can silently inherit the short 5-minute Max-Age from the session_data cookie, logging users out after 5 minutes instead of the normal session duration [3].

Recommendations:

• If you're getting logged out after 5 minutes, that's likely the customSession + cookieCache header bug. Try disabling cookieCache temporarily to confirm.
• Alternatively, increase cookieCache.maxAge to match your intended session lifetime (e.g., 60 * 60 * 24 * 7 for 7 days) so even if the bug is present, the expiry is long enough.
• If you just want to reduce DB hits, know that the cache only helps for the first 5 minutes after login — after that, every getSession call hits the DB anyway in stateful mode.

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.

[dosubot[bot]]

Here are the main options for reducing DB calls with Better Auth:

Option 1: Cookie cache with refreshCache (zero DB calls)
This is the most impactful change. By enabling refreshCache, the cookie auto-renews before expiry without hitting the database [1]. Without it (your current config), the cache just expires and every request after that goes to the DB.

session: {
  cookieCache: {
    enabled: true,
    maxAge: 5 * 60,
    strategy: "compact", // smallest cookie size, HMAC-signed
    refreshCache: true,  // auto-refreshes at 80% of maxAge, no DB call
  },
},

⚠️ Trade-off: revoked sessions stay active until the cache expires. You can use the version field to force-invalidate all caches on redeploy [2].

Option 2: Secondary storage (Redis)
Store sessions in Redis instead of your primary DB [3]. Better Auth has a built-in adapter:

import { redisStorage } from "better-auth/adapters";

export const auth = betterAuth({
  secondaryStorage: redisStorage({ client: redis, prefix: "auth:" }),
  // ...
});

Option 3: Hybrid (cookie cache + Redis)
Combine both for distributed deployments — cookies handle most reads, Redis is the fallback when the cache expires [4].

Also recommended: Add database indexes on sessions.userId, sessions.token, users.email, and accounts.userId for the DB calls that do happen [5].

Given your current setup with customSession, be aware of the Set-Cookie header bug when combining customSession with cookieCache — it can cause premature logouts. If you hit that, Redis secondary storage is the safer path until it's resolved.

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.

[ftmomin]

i see error

WARN [Better Auth]: [better-auth] session.cookieCache.refreshCacheis enabled whiledatabaseorsecondaryStorageis configured.refreshCacheis meant for stateless (DB-less) setups. DisablingrefreshCache — remove it from your config to silence this warning.

[dosubot[bot]]

Apologies for the misleading suggestion — refreshCache is explicitly disabled by Better Auth when a database is configured, since it's designed for stateless (DB-less) setups only [1]. That warning confirms it's being ignored.

For your setup (database + customSession), the realistic options to reduce DB calls are:

1. Cookie cache without refreshCache (what you already have) — caches session data for maxAge seconds, then falls back to a DB lookup. This still helps: every request within the 5-minute window skips the DB.

2. Redis secondary storage — this is the better fit for your use case. Sessions are read from Redis instead of Postgres, which is significantly faster. Remove refreshCache and add:

import { createClient } from "redis";
import { redisStorage } from "better-auth/adapters";

const redis = createClient({ url: process.env.REDIS_URL });
await redis.connect();

export const auth = betterAuth({
  secondaryStorage: redisStorage({ client: redis, prefix: "auth:" }),
  session: {
    cookieCache: {
      enabled: true,
      maxAge: 5 * 60, // still useful as a first-level cache
    },
  },
  // ...rest of your config
});

This gives you a two-tier cache: cookie first (no network call), then Redis (fast), with Postgres as the source of truth [2].

To reply, just mention @dosu.

---

Share context across your team and agents. Try Dosu.

[ftmomin]

i want to implement your 1st option
Cookie cache without refreshCache (what I already have) — caches session data for maxAge seconds, then falls back to a DB lookup. This still helps: every request within the 5-minute window skips the DB.

but its not happaning. when i login, session check against cookies cache for first 5 min(maxAge). things are good till here. but then after cookies cache maxAge all session check call hits DB.

[dosubot[bot]]

That behavior — cache works for 5 minutes, then every call hits the DB — suggests the session_data cookie is not being re-set after the DB fallback, even though the code is designed to do so [1].

This is likely the customSession + cookieCache Set-Cookie header bug mentioned earlier [2]. When customSession and cookieCache are both active, multiple Set-Cookie headers can get comma-joined into a single malformed header. The browser then fails to properly store the refreshed session_data cookie after the DB lookup, so the cache never repopulates.

To confirm, open your browser dev tools → Network tab → make a request after the 5-minute window → check the response headers for Set-Cookie. You should see separate session_token and session_data cookies. If they're joined into a single comma-separated value, that's the bug.

Practical options:

• Increase maxAge to something like 60 * 60 (1 hour) or even longer — fewer DB fallbacks means less exposure to the bug
• Switch to Redis secondary storage — avoids the cookie refresh issue entirely since session reads go to Redis instead of Postgres
• Remove customSession temporarily to verify the cache repopulates correctly without it — this will confirm whether customSession is the culprit

To reply, just mention @dosu.

---

Share context across your team and agents. Try Dosu.

[ftmomin]

How to implement an Access Token and Refresh Token strategy?
Store the session for 10 minutes(like accessToken), and after expiration, check the database to see if the session still exists.

without any secondary storage

[dosubot[bot]]

What you're describing is exactly how cookieCache is designed to work in stateful mode. Your current config already implements this pattern:

session: {
  expiresIn: 60 * 60 * 24 * 7, // 7 days — acts as "refresh token" lifetime
  updateAge: 60 * 60 * 24,     // 1 day — throttles DB session extension writes
  cookieCache: {
    enabled: true,
    maxAge: 10 * 60, // 10 minutes — acts as "access token"
  },
},

The flow [1]:

1. First 10 min: session is read from the cookie cache, zero DB calls
2. After 10 min: cache expires → DB lookup to verify session still exists
3. If valid: cookie cache is re-issued for another 10 minutes [2]
4. If session deleted/expired in DB: user is logged out

This is functionally the same as access/refresh tokens — the cookie cache is the short-lived access token, and the database session is the long-lived refresh token.

The issue you reported earlier (cache not repopulating after expiry) is likely caused by the customSession plugin interfering with the Set-Cookie header on the DB fallback response. To confirm, temporarily remove customSession and check if the cache regenerates properly after 10 minutes.

To reply, just mention @dosu.

---

Share context across your team and agents. Try Dosu.

[ftmomin]

after removing customSession , expired cookies cache does not refresh after checking database session.
here is new config

export const options = {
	baseURL: process.env.BETTER_AUTH_URL,
	database: drizzleAdapter(db, {
		provider: 'pg',
		schema: {
			user: schema.user,
			account: schema.account,
			session: schema.session,
			organization: schema.organization,
			member: schema.member,
			invitation: schema.invitation,
			verification: schema.verification,
			organizationRole: schema.organizationRole,
		},
	}),
	secret: process.env.BETTER_AUTH_SECRET,
	rateLimit: {
		enabled: process.env.NODE_ENV === 'production',
		window: 10, // time window in seconds
		max: 30, // max requests in the window
	},
	session: {
		expiresIn: 60 * 60 * 24 * 1, // 1 days — acts as "refresh token" lifetime
		updateAge: 60 * 60 * 10, // 10 minutes — throttles DB session extension writes
		cookieCache: {
			enabled: true,
			maxAge: 5 * 60, // 5 minutes — acts as "access token"
		},
		additionalFields: {
			activeOrganizationId: {
				type: 'string',
				required: false,
				defaultValue: null,
			},
			role: {
				type: 'string',
				required: false,
				defaultValue: 'member',
			},
		},
	},
	advanced: {
		useSecureCookies: process.env.NODE_ENV === 'production',
	},
	// CSRF protection enabled by default in Better Auth
	trustedOrigins: process.env.BETTER_AUTH_TRUSTED_ORIGINS
		? process.env.BETTER_AUTH_TRUSTED_ORIGINS.split(',')
		: [],
	emailAndPassword: {
		enabled: true,
		requireEmailVerification: true,
		sendResetPassword: async ({ user, token }) => {
			await sendPasswordResetEmail({
				userEmail: user.email,
				userName: user.name,
				resetToken: token,
			});
		},
		onPasswordReset: async ({ user }) => {
			await sendPasswordChangedEmail({
				userEmail: user.email,
				userName: user.name,
			});
		},
	},
	emailVerification: {
		sendOnSignUp: true,
		sendVerificationEmail: async ({ user, url }) => {
			await sendVerifyEmail({
				userEmail: user.email,
				userName: user.name,
				url: url,
			});
		},
	},
	user: {
		additionalFields: {
			metadata: {
				type: 'string',
				required: false,
				defaultValue: null,
			},
			userSettings: {
				type: 'string',
				required: false,
			},
		},
	},
	plugins: [
		organization({
			creatorRole: 'owner',
			organizationHooks: {
				afterCreateOrganization: async ({ organization, user }) => {
					await setDefaultOrganizationSettings({
						organizationId: organization.id,
						userId: user.id,
					});
				},
			},
			additionalFields: {
				settings: {
					type: 'string',
					required: false,
				},
			},
			ac,
			roles: {
				owner,
				member,
			},
			dynamicAccessControl: {
				enabled: true,
			},
		}),
		nextCookies(),
	],
	databaseHooks: {
		session: {
			create: {
				before: async (session) => {
					const organization = await db.query.member.findMany({
						where: (member, { eq }) => eq(member.userId, session.userId),
						orderBy: (member, { desc }) => desc(member.createdAt),
						columns: {
							organizationId: true,
							role: true,
						},
					});

					if (!organization || organization.length === 0) {
						return {
							data: {
								...session,
								activeOrganizationId: null,
								role: 'member',
							},
						};
					}

					return {
						data: {
							...session,
							activeOrganizationId:
								organization && organization.length === 1
									? organization[0].organizationId
									: null,
							role:
								organization && organization.length === 1
									? organization[0].role
									: 'member',
						},
					};
				},
			},
		},
	},
} satisfies BetterAuthOptions;

export const auth = betterAuth({
	...options,
});