Session Management

Better Auth manages session using a traditional cookie-based session management. The session is stored in a cookie and is sent to the server on every request. The server then verifies the session and returns the user data if the session is valid.

Session table

The session table stores the session data. The session table has the following fields:

• id: The session id. Which is also used as the session cookie.
• userId: The user id of the user.
• expiresAt: The expiration date of the session.
• ipAddress: The IP address of the user.
• userAgent: The user agent of the user. It stores the user agent header from the request.

Session Expiration

The session expires after 7 days by default. But whenever the session is used, and the updateAge is reached the session expiration is updated to the current time plus the expiresIn value.

You can change both the expiresIn and updateAge values by passing the session object to the auth configuration.

import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    //... other config options
    session: {
        expiresIn: 60 * 60 * 24 * 7, // 7 days
        updateAge: 60 * 60 * 24 // 1 day (every 1 day the session expiration is updated)
    }
})

Session Management

Better Auth provides a set of functions to manage sessions.

Get Session

The getSession function retrieves the current active session.

import { authClient } from "@/lib/client"
 
const session = await authClient.getSession()

Use Session

The useSession action provides a reactive way to access the current session.

import { authClient } from "@/lib/client"
 
const session = await authClient.useSession()

List Sessions

The listSessions function returns a list of sessions that are active for the user.

import { authClient } from "@/lib/client"
 
const sessions = await authClient.listSessions()

Revoke Session

When a user signs out of a device, the session is automatically ended. However, you can also end a session manually from any device the user is signed into.

To end a session, use the revokeSession function. Just pass the session ID as a parameter.

await authClient.revokeSession({
    id: session.id,
})

Revoke Other Sessions

To revoke all other sessions except the current session, you can use the revokeOtherSessions function.

await authClient.revokeOtherSessions()

Revoke All Sessions

To revoke all sessions, you can use the revokeSessions function.

await authClient.revokeSessions()

Revoking Sessions on Password Change

You can revoke all sessions when the user changes their password by passing revokeOtherSessions true on changePAssword function.

await authClient.changePassword({
    newPassword: newPassword,
    currentPassword: currentPassword,
    revokeOtherSessions: signOutDevices,
})

Session Caching

Cookie Cache

Calling your database every time useSession or getSession invoked isn’t ideal, especially if sessions don’t change frequently. Cookie caching handles this by storing session data in a short-lived, signed cookie—similar to how JWT access tokens are used with refresh tokens.

When cookie caching is enabled, the server can check session validity from the cookie itself instead of hitting the database each time. The cookie is signed to prevent tampering, and a short maxAge ensures that the session data gets refreshed regularly. If a session is revoked or expires, the cookie will be invalidated automatically.

To turn on cookie caching, just set session.cookieCache in your auth config:

const auth = new BetterAuth({
    session: {
        cookieCache: {
            enabled: true,
            maxAge: 5 * 60 // Cache duration in seconds
        }
    }
});

If you want to disable returning from the cookie cache when fetching the session, you can pass disableCookieCache:true

const session = await authClient.getSession({ query: {
    disableCookieCache: true
}})

or on the server

auth.api.getSession({
    query: {
        disableCookieCache: true,
    }, 
    headers: req.headers, // pass the headers
});