Does Better Auth Support Session/Token Rotation?
In Better Auth, if a session cookie is stolen and reused in another browser, does the library provide any built-in mechanism to prevent session hijacking (like session rotation, device/IP binding, or fingerprint validation)? From what I’ve seen, there doesn’t seem to be session/token rotation for email/password authentication — could you confirm if that’s correct and suggest the recommended approach to mitigate this risk?
8 Replies
A session doesn't last forever, it will eventually expire, and with that is the need for a new session. That's essentially session token rotations already.
If you somehow knew that a session was hijacked, we have a revoke-session api.
Session Management | Better Auth
Better Auth session management.
In the docs I saw that “The session expires after 7 days by default. But whenever the session is used and the updateAge is reached, the session expiration is updated to the current time plus the expiresIn value.”
I just want to confirm: when this happens, does Better Auth actually issue a new session token (rotation) or does it keep the same token and just extend the expiration time (updateAge)?
Oh you're right sorry, my mistake
Yeah it won't ask for a new session and would just extend the current.
For a hijacker to get the session token will most likely be a really hard challenge to solve, and most likely will be from some form of social engineering to get it, but putting that aside, assuming somehow they were able to grab the token, you can use the revoke session api which will revoke that token
But how’s the user know that there token get stolen?
For example there system get compromise and there chrome browser cookie get stolen and they use the cookies to access there account as there is no refresh token so it hard to tell if account is compromised
For access and refresh token when access token expire backend will issue both new refresh and access token so if hacker get old refresh token it can’t do anything in that case
You can't really, the easiest way to know off the top of my head is either they see things changing in the app which they didn't do, or if they figured out that their computer was compromised or something like that.
A session token rotation system would mean that the user wouldn't know the new token when it's rotated (of course), which would mean they would have to sign-in again.
In this sense, you could just change the updateAge to never really be reached so that by the time the expiration time is hit, they're forced logged out and thus required to login again.
Realistically speaking, a session token is stored with httpOnly & secure in production, a hacker couldn't get the token through JavaScript and the only way to get the token is either they compromised your auth server, or they reverse engineer the entire browser on the user's device all in order to get the token
@Ping Ok, thanks for the help. Is there any future plan to introduce JWT access tokens and refresh tokens in Better Auth?
I don't think we have any plans for that yet.
can you look my dms