Handling better-auth.two_factor cookie after TOTP verification and logout
Hi there, I’m using Better-Auth with TOTP-based 2FA and had a question about the better-auth.two_factor cookie behavior.
I’ve noticed that after a user successfully verifies their TOTP code, the better-auth.two_factor cookie remains present in the browser — even after a full session is created. Similarly, it doesn’t appear to be cleared when the user logs out.
This leads to a UX issue where, after logout, my middleware sees the cookie still present (but no session), and incorrectly redirects users back to /verify-2fa instead of letting them hit /.
I’ve tried clearing the cookie manually on the client using document.cookie (clearing both better-auth.two_factor and __Secure-better.auth.two_factor), but it seems the cookie remains — possibly due to flags set on your end like Secure, SameSite, or path/domain.
My question is:
Is there a recommended way to programmatically clear the 2FA cookie after successful verification or logout?
Or is it intentionally designed to expire naturally (e.g. after 10–15 minutes) without early deletion support?
I just want to make sure I’m not missing an intended way to handle this, and that I’m not fighting against the system if it’s something Better-Auth handles on its own.
Thanks so much — appreciate any insight you can provide!
I’ve noticed that after a user successfully verifies their TOTP code, the better-auth.two_factor cookie remains present in the browser — even after a full session is created. Similarly, it doesn’t appear to be cleared when the user logs out.
This leads to a UX issue where, after logout, my middleware sees the cookie still present (but no session), and incorrectly redirects users back to /verify-2fa instead of letting them hit /.
I’ve tried clearing the cookie manually on the client using document.cookie (clearing both better-auth.two_factor and __Secure-better.auth.two_factor), but it seems the cookie remains — possibly due to flags set on your end like Secure, SameSite, or path/domain.
My question is:
Is there a recommended way to programmatically clear the 2FA cookie after successful verification or logout?
Or is it intentionally designed to expire naturally (e.g. after 10–15 minutes) without early deletion support?
I just want to make sure I’m not missing an intended way to handle this, and that I’m not fighting against the system if it’s something Better-Auth handles on its own.
Thanks so much — appreciate any insight you can provide!
