BA
Better Auth•6mo ago
Wadson

Session Expiration Limited to 1 Day Despite 7-Day Configuration

We're experiencing a session expiration issue with Better Auth where our sessions are only valid for 1 day instead of 7, despite the specified configuration. In our logs, we can see session creation with: 
sessionExpiresAt: '2025-05-02 19:40:17.627',
sessionCreatedAt: '2025-05-01 19:40:17.628',
timeDiffDays: 0.999999988425926
sessionExpiresAt: '2025-05-02 19:40:17.627',
sessionCreatedAt: '2025-05-01 19:40:17.628',
timeDiffDays: 0.999999988425926
Relevant Configuration: 
// auth.ts
export const auth = betterAuth({
  session: {
    expiresIn: 60 * 60 * 24 * 7, // 7 days
    updateAge: 60 * 60 * 24, // 1 day
    cookieCache: {
      enabled: true,
      maxAge: 5 * 60, // 5 minutes
    },
  },
  plugins: [
    customSession(async ({ user, session }) => {
      // Custom session logic
      return { user: { ...user }, session };
    }),
    nextCookies(),
  ],
});
// auth.ts
export const auth = betterAuth({
  session: {
    expiresIn: 60 * 60 * 24 * 7, // 7 days
    updateAge: 60 * 60 * 24, // 1 day
    cookieCache: {
      enabled: true,
      maxAge: 5 * 60, // 5 minutes
    },
  },
  plugins: [
    customSession(async ({ user, session }) => {
      // Custom session logic
      return { user: { ...user }, session };
    }),
    nextCookies(),
  ],
});
API Routes: 
// app/api/auth/[...all]/route.ts
import { auth } from "@/lib/auth";
import { toNextJsHandler } from "better-auth/next-js";
 
export const { POST, GET } = toNextJsHandler(auth.handler);
// app/api/auth/[...all]/route.ts
import { auth } from "@/lib/auth";
import { toNextJsHandler } from "better-auth/next-js";
 
export const { POST, GET } = toNextJsHandler(auth.handler);
Client: 
// auth-client.ts
import { createAuthClient } from "better-auth/react";
import { inferAdditionalFields } from "better-auth/client/plugins";
import { customSessionClient } from "better-auth/client/plugins";
import { auth } from "./auth";

export const authClient = createAuthClient({
  plugins: [
    inferAdditionalFields<typeof auth>(),
    customSessionClient<typeof auth>(),
  ],
  baseURL: "http://localhost:8082",
});
// auth-client.ts
import { createAuthClient } from "better-auth/react";
import { inferAdditionalFields } from "better-auth/client/plugins";
import { customSessionClient } from "better-auth/client/plugins";
import { auth } from "./auth";

export const authClient = createAuthClient({
  plugins: [
    inferAdditionalFields<typeof auth>(),
    customSessionClient<typeof auth>(),
  ],
  baseURL: "http://localhost:8082",
});
Issue Details: 1. When checking expiresAt in the database, session expiration is consistently set to createdAt + 1 day, not 7 days. 2. Our session cookie is set correctly but expires after ~5 min and is not renewed. 3. This causes authentication errors in our app when fetching from protected endpoints. Is this expected behavior? better-auth: 1.2.7, better-fetch: 1.1.2, next": 15.2.4, Any insights appreciated!
Solution:
I discovered that setting rememberMe: true resolved our session expiration issue. Sessions were only lasting 1 day instead of the configured 7 days. The current documentation only states:
"rememberMe: If false, the user will be signed out when the browser is closed. (optional) (default: true)"
...
Jump to solution
1 Reply
Solution
Wadson
Wadson•6mo ago
I discovered that setting rememberMe: true resolved our session expiration issue. Sessions were only lasting 1 day instead of the configured 7 days. The current documentation only states:
"rememberMe: If false, the user will be signed out when the browser is closed. (optional) (default: true)"
However, our investigation shows that rememberMe has a more significant impact than documented. When rememberMe is false (or not explicitly set to true when signing in), it appears to override the session.expiresIn configuration, limiting session expiration to approximately creationTime + 1 day regardless of the configured 7-day expiration. I suggest updating the documentation to clarify that: 1. The rememberMe parameter affects not just browser-close behavior but also the maximum session duration 2. When rememberMe is false, the session expiration is limited regardless of the session.expiresIn setting 3. To achieve longer sessions as specified in expiresIn, clients must explicitly pass rememberMe: true during authentication This clarification would help other developers avoid the confusion we experienced. Thank you for the great Library 💪

Did you find this page helpful?