Docs

Cookies

Cookies are used to store data such as session tokens, CSRF tokens, and more. All cookies are signed using the secret key provided in the auth options.

Core Better Auth cookies like session and csrf will follow betterauth.${cookie_name} format.

All cookies are httpOnly and secure if the server is running in production mode.

Cross Subdomain Cookies (🧪 Experimental)

Sometimes you may need to share cookies across subdomains. For example, if you have app.example.com and example.com, and if you authenticate on example.com, you may want to access the same session on app.example.com.

By default, cookies are not shared between subdomains. However, if you need to access the same session across different subdomains, you can enable cross-subdomain cookies. To do this, set crossSubDomainCookies to true in the advanced object of the auth options.

Keep in mind that this does not imply that all cookies will be shared across subdomains; only a specific subset of cookies necessary for session sharing will be set.

auth.ts
import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    advanced: {
        crossSubDomainCookies: {
            enabled: true,
            domain: "example.com" // Optional. Defaults to the base url domain
        }
    }
})

This feature is experimental and may not work as expected in all scenarios. And this is specefically to share session cookies across subdomains.

If you want to disable the CSRF cookie, you can set disableCsrfCheck to true in the advanced object in the auth options. If you disable the CSRF cookie, you should make sure that your framework handles CSRF protection itself.

auth.ts
import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    advanced: {
        disableCSRFCheck: true
    }
})

Secure Cookies

By default, cookies are secure if the server is running in production mode. You can force cookies to be secure by setting useSecureCookies to true in the advanced object in the auth options.

auth.ts
import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    advanced: {
        useSecureCookies: true
    }
})

CSRF Protection

Cross-Site Request Forgery (CSRF) Protection in Better Auth

Better Auth protects your app from CSRF attacks in two ways:

  1. Secure Cookies: All cookies are marked as HttpOnly, Secure, and use the SameSite=Lax attribute. This ensures they’re inaccessible to client-side scripts, only sent over HTTPS, and not shared across sites.

  2. CSRF Tokens: By default, CSRF token checks are disabled for the same origin as baseURL, since CSRF attacks only affect browser requests. For other origins, CSRF tokens are required for POST requests. It uses double submit cookies to validate the token. Each session has a unique CSRF token that is sent as a cookie and a header in every request. If the two don’t match, the request is rejected.

You can adjust this behavior:

  • Use disableCSRFTokenCheck: true on the client to skip token checks entirely.
  • To allow untrusted origins, specify them in the trustedOrigins option on the server. These origins will be exempt from CSRF checks.

Untrusted requests without valid tokens will result in a 403 error.

You can also disable CSRF token check for all clients by setting advanced.disableCSRFCheck option on the server. You should only do this if your framework handles CSRF protection itself.

On this page

Cross Subdomain Cookies (🧪 Experimental)
Disable CSRF Cookie (⚠︎ Not Recommended)
Secure Cookies
CSRF Protection
Edit on GitHub