Session Management
Better Auth manages session using a traditional cookie-based session management. The session is stored in a cookie and is sent to the server on every request. The server then verifies the session and returns the user data if the session is valid.
Session table
The session table stores the session data. The session table has the following fields:
id
: The session id. Which is also used as the session cookie.userId
: The user id of the user.expiresAt
: The expiration date of the session.ipAddress
: The IP address of the user.userAgent
: The user agent of the user. It stores the user agent header from the request.
Session Expiration
The session expires after 7 days by default. But whenever the session is used, and the updateAge
is reached the session expiration is updated to the current time plus the expiresIn
value.
You can change both the expiresIn
and updateAge
values by passing the session
object to the auth
configuration.
Session Management
Better Auth provides a set of functions to manage sessions.
List Sessions
The listSessions
function returns a list of sessions that are active for the user.
Revoke Session
When a user signs out of a device, the session is automatically ended. However, you can also end a session manually from any device the user is signed into.
To end a session, use the revokeSession
function. Just pass the session ID as a parameter.
Revoke All Sessions
To revoke all sessions, you can use the revokeSessions
function.
Revoking Sessions on Password Change
You can revoke all sessions when the user changes their password by passing revokeOtherSessions
true on changePAssword
function.