Managing Device Identifier Cookie: Where to Handle and Refresh It?
Hey everyone! π
I'm implementing a device identifier system for user devices β even for users not logged in.
Right now, my plan is:
Set a cookie with the device ID.
Use a max-age of 365 days.
Refresh the cookie (i.e., reset its expiration) once a week if the user makes any request.
My questions are:
Is it okay to handle this outside of Better Auth, or should it be handled internally in the auth layer (e.g., before hitting any auth-protected endpoints)?
I'm thinking of hooking into a point before any auth endpoint is called, like validate-session, since it runs when the page loads β would that be a good spot to update the cookie if needed?
Is there a better way to automatically refresh the cookie without tightly coupling it to every request handler?
Any insights or best practices would be really appreciated! π
2 Replies
I assume your goal is just to make sure that the device identifier is always up to date and won't expire.
would that be a good spot to update the cookie if needed?Depends on your app and how often you think your app will be making auth calls. There isn't a real signal to say when to update the cookie. Maybe one solid one to tie it to is the getSession endpoint, but again it also does depend on your app.
Thanks so much for your response - that helps clarify things!
To give a bit more context:
I'm using the device identifier specifically in the request to the Swedish BankID server when starting the authentication process. So I don't need it for session tracking or long-term analytics - I just need a stable identifier that persists and is available before any authentication happens.
My goal is to ensure the identifier doesn't expire (or at least gets refreshed regularly).
What Iβm unsure about is:
Whatβs the best way to implement and manage this identifier using Better Auth in a custom plugin?
Should this be handled inside Better Auth (e.g., in a custom plugin or middleware), or is it okay to manage the cookie entirely outside of it (my suggestion is that it would be more convenient for other users of the plugin to be managed by it)?
Any guidance on where this logic fits best in a custom Better Auth plugin (or architecture suggestions in general) would be really appreciated π