Admin Plugin - Issue with cookie cache and secondary storage not updating on `auth.api.setRole` call

I'm encountering a problem with cookie cache and secondary storage behavior when updating user roles using

auth.api.setRole

auth.api.setRole

auth.api.setRole

auth.api.setRole in my Remix+Better-Auth project.

Issue description:

When I call
```
auth.api.setRole
```
auth.api.setRole
```
auth.api.setRole
```
auth.api.setRole
to update a user's role (e.g., promote a user to "admin" or revert them), the response headers do not include any
```
Set-Cookie
```
Set-Cookie
```
Set-Cookie
```
Set-Cookie
headers. Example response headers look like this:
{ "Content-Type": "application/json" }
```
{ "Content-Type": "application/json" }
```
{ "Content-Type": "application/json" }
```
{ "Content-Type": "application/json" }
```
Because of this, the cookie session does not update on the client side.
In my Cloudflare KV store (which is configured as the
```
secondaryStorage
```
secondaryStorage
```
secondaryStorage
```
secondaryStorage
for Better-Auth), the user data appears duplicated rather than updated properly. I assume the KV data is supposed to be tied to the session cookie.
This leads to inconsistent state where I can promote a user to admin and then when logged in as a "member", change them back to admin again, since cookie cache and secondary storage aren't working properly.

Even when I forcibly disable cookie cache like this:

const session = await auth.api.getSession({
  headers: request.headers,
  query: {
    disableCookieCache: true,
  },
});

const session = await auth.api.getSession({
  headers: request.headers,
  query: {
    disableCookieCache: true,
  },
});

const session = await auth.api.getSession({
  headers: request.headers,
  query: {
    disableCookieCache: true,
  },
});

const session = await auth.api.getSession({
  headers: request.headers,
  query: {
    disableCookieCache: true,
  },
});

the problem persists.

KennyOP•5/2/25, 12:06 AM

Environment & Setup:

Using Better-Auth with Kysely-D1 dialect on Cloudflare Workers.
Cookie cache is enabled with 5-minute maxAge.
Secondary storage is backed by Cloudflare KV with typical getget, setset, and deletedelete operations.
setRolesetRole API response does not contain any
```
Set-Cookie
```
```
Set-Cookie
```
header, which seems unusual since the session info should theoretically be updated or synced after role changes.

Relevant portion of serverAuthserverAuth config:

session: {
  modelName: "firestorm_sessions",
  cookieCache: {
    enabled: true,
    maxAge: 300,
  },
},
secondaryStorage: {
  get: (k) => FIRESTORM_AUTH_KV.get(k),
  set: (k, v) => FIRESTORM_AUTH_KV.put(k, v),
  delete: (k) => FIRESTORM_AUTH_KV.delete(k),
},

session: {
  modelName: "firestorm_sessions",
  cookieCache: {
    enabled: true,
    maxAge: 300,
  },
},
secondaryStorage: {
  get: (k) => FIRESTORM_AUTH_KV.get(k),
  set: (k, v) => FIRESTORM_AUTH_KV.put(k, v),
  delete: (k) => FIRESTORM_AUTH_KV.delete(k),
},

In my admin users PATCH handler, after calling
```
auth.api.setRole
```
```
auth.api.setRole
```
, the returned ResponseResponse headers lack any cookies.

Could someone please help clarify:

Should
```
auth.api.setRole
```
```
auth.api.setRole
```
update the session cookie or send
```
Set-Cookie
```
```
Set-Cookie
```
headers automatically on role change?
Does Better-Auth sync the updated user data to secondary storage automatically on setRolesetRole? Or do I need to do something manually to prevent duplication or stale data?
Could the lack of cookie headers in the response be expected behavior? If so, how should the session and cookie cache be properly updated after role changes?
Anything else I should look for or debug to ensure cookie cache and secondary storage remain consistent with user updates?

Thank you for any pointers or explanations!

KennyOP•5/2/25, 12:08 AM

I should also mention that if I run the command to update my user's name attribute with that api right after everything is updated in cookies and second storage properly so I have isolated the issue to

auth.api.setRole

auth.api.setRole

KennyOP•5/2/25, 12:27 AM

running it on the client doesn't fix it either

KennyOP•5/2/25, 12:34 AM

This is the temporary workaround I came up with (located after authClient.admin.setRole`:

            // HACK to force secondary and cookie storage to be updated
            // Track https://discord.com/channels/1288403910284935179/1367653484496683169
            await authClient.updateUser({
                name: user.name,
            });

            // HACK to force secondary and cookie storage to be updated
            // Track https://discord.com/channels/1288403910284935179/1367653484496683169
            await authClient.updateUser({
                name: user.name,
            });

La_rs•5/2/25, 1:09 PM

The session in secondary storage is also not updated when the user verifys their email

La_rs•5/2/25, 1:10 PM

I think it is a bug, that only updateUser updates the session in secondary storage

_tws_•11/4/25, 5:16 PM

Hello @Kenny
Did you get any updates on your secondary storage refresh issue?

thx

__tws_Hello @Kenny Did you get any updates on your secondary storage refresh issue? ...

ben•11/4/25, 6:03 PM

I know the team is working on things related to this (that may end up solving this, not sure - I am new to better-auth as of last week): https://github.com/better-auth/better-auth/pull/5735

GitHub

fix(session): persist additionalFields in cookie cache by Ridhim-RR...

Fixes #5700
Fix: Additional fields declared in the session configuration should be persisted into the cache
Problem
When cookie cache is enabled, /api/auth/get-session doesn&#39;t include addit...

KKenny This is the temporary workaround I came up with (located after authClient.admin....

ben•11/4/25, 6:05 PM

This is what I am doing as well lol. I have a "refreshAuthUserData" function that runs api.updateUser on the server for any APIs I have that might update user data

ben•11/4/25, 6:05 PM

I avoid allowing the client to do any updating as much as possible but it's basically the same tactic.

Bben This is what I am doing as well lol. I have a "refreshAuthUserData" function tha...

_tws_•11/4/25, 6:06 PM

yeah.. let's hope this can be bundled into the refresh() or getSession() functions

cc @Better Auth

Better Auth•11/4/25, 6:06 PM

Hey there! Great observation. We actually added query parameter support to useSession().refetch() so that you can control aspects like cookie caching and refresh behavior—this is covered in the recent improvements [2]. Additionally, the latest changes on refreshing session cookies before expiry enhance getSession()’s behavior [1]. While we're always looking at ways to bundle and streamline everything into a more unified refresh or getSession function, for now you can pass options like disableCookieCache or disableRefresh to getSession or useSession().refetch() to achieve the desired effect.

Does this approach address what you were hoping to see, or would you like to see further unification?

Sources:
[1] fix(session): refresh cache before it expires
[2] feat: add query parameter to useSession().refetch() for cache control consistency

— Better Auth is powered by https://clarm.com

GitHub

Build software better, together

GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

GitHub

Build software better, together

GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

GitHub

fix(session): refresh cache before it expires by himself65 · Pull ...

Summary by cubic
Add freshness-based refresh for the cookie session cache to prevent stale data and reduce unnecessary DB calls. Sessions now refresh before they expire and support cookie-only scen...

GitHub

feat: add query parameter to useSession().refetch() for cache contr...

Closes #3889
This PR adds query parameter (disableCookieCache and disableRefresh) to useSession().refetch() for consistency with getSession().
Currently, getSession() supports query parameters like...

ben•11/4/25, 6:07 PM

I think Bereket has been careful about all this stuff due to how much people might start bloating their cookies and inherent cookie limitations.

ben•11/4/25, 6:08 PM

On the client, after I run my little server hack to trigger the update, I also run getSession with the disableCookie cache flag

ben•11/4/25, 6:10 PM

I'm using mongodb + Valkey/Redis here

ben•11/4/25, 6:11 PM

secondarystorage/valkey for sessions without database persistence enabled

ben•11/4/25, 6:26 PM

The team is working fast on this stuff. There was something interesting I saw checked in yesterday - https://github.com/better-auth/better-auth/pull/5601

GitHub

feat: stateless session management by Bekacru · Pull Request #560...

Summary by cubic
Adds stateless, database-less session management using signed/encrypted cookie cache with optional auto-refresh. Introduces new cookie cache strategies (compact, jwt, jwe) and a re...

Bben I think Bereket has been careful about all this stuff due to how much people mig...

ben•11/5/25, 8:28 PM

LMAO https://github.com/better-auth/better-auth/pull/5645

GitHub

feat: session store chunking by himself65 · Pull Request #5645 · ...

Summary by cubic
Add cookie chunking for session data to support values larger than 4KB and prevent cache failures. Session cookies are split, reassembled on read, and fully cleaned up on sign out....

ben•11/5/25, 8:29 PM

Didnt see this until today's mention of the 1.4 beta

Admin Plugin - Issue with cookie cache and secondary storage not updating on `auth.api.setRole` call

Similar Threads

Similar Threads

Similar Threads