fix(lastLoginMethod): inherit cross-subdomain cookie settings in lastLoginMethod plugin (#4572)

Author: lumpinif

docs/content/docs/plugins/last-login-method.mdx

@@ -260,6 +260,7 @@ export const auth = betterAuth({
 **cookieName**: `string`
 - The name of the cookie used to store the last login method
 - Default: `"better-auth.last_used_login_method"`
+- **Note**: This cookie is `httpOnly: false` to allow client-side JavaScript access for UI features
 
 **maxAge**: `number` 
 - Cookie expiration time in seconds
@@ -314,6 +315,15 @@ The plugin automatically detects the method from these endpoints:
 - `/sign-in/email` - Email sign in
 - `/sign-up/email` - Email sign up
 
+## Cross-Domain Support
+
+The plugin automatically inherits cookie settings from Better Auth's centralized cookie system. This solves the problem where the last login method wouldn't persist across:
+
+- **Cross-subdomain setups**: `auth.example.com` → `app.example.com`
+- **Cross-origin setups**: `api.company.com` → `app.different.com`
+
+When you enable `crossSubDomainCookies` or `crossOriginCookies` in your Better Auth config, the plugin will automatically use the same domain, secure, and sameSite settings as your session cookies, ensuring consistent behavior across your application.
+
 ## Advanced Examples
 
 ### Custom Provider Tracking

packages/better-auth/src/plugins/last-login-method/custom-prefix.test.ts

@@ -0,0 +1,225 @@
+import { describe, expect, it } from "vitest";
+import { getTestInstance } from "../../test-utils/test-instance";
+import { lastLoginMethod } from ".";
+import { lastLoginMethodClient } from "./client";
+import { parseCookies } from "../../cookies";
+
+describe("lastLoginMethod custom cookie prefix", async () => {
+it("should work with default cookie name regardless of custom prefix", async () => {
+const { client, cookieSetter, testUser } = await getTestInstance(
+{
+advanced: {
+cookiePrefix: "custom-auth",
+},
+plugins: [lastLoginMethod()],
+},
+{
+clientOptions: {
+plugins: [lastLoginMethodClient()],
+},
+},
+);
+
+const headers = new Headers();
+await client.signIn.email(
+{
+email: testUser.email,
+password: testUser.password,
+},
+{
+onSuccess(context) {
+cookieSetter(headers)(context);
+},
+},
+);
+const cookies = parseCookies(headers.get("cookie") || "");
+// Uses exact cookie name from config, not affected by cookiePrefix
+expect(cookies.get("better-auth.last_used_login_method")).toBe("email");
+});
+
+it("should work with custom cookie name and prefix", async () => {
+const { client, cookieSetter, testUser } = await getTestInstance(
+{
+advanced: {
+cookiePrefix: "my-app",
+},
+plugins: [lastLoginMethod({ cookieName: "my-app.last_method" })],
+},
+{
+clientOptions: {
+plugins: [lastLoginMethodClient()],
+},
+},
+);
+
+const headers = new Headers();
+await client.signIn.email(
+{
+email: testUser.email,
+password: testUser.password,
+},
+{
+onSuccess(context) {
+cookieSetter(headers)(context);
+},
+},
+);
+const cookies = parseCookies(headers.get("cookie") || "");
+expect(cookies.get("my-app.last_method")).toBe("email");
+});
+
+it("should work with custom cookie name regardless of prefix", async () => {
+const { client, cookieSetter, testUser } = await getTestInstance(
+{
+advanced: {
+cookiePrefix: "my-app",
+},
+plugins: [lastLoginMethod({ cookieName: "last_login_method" })],
+},
+{
+clientOptions: {
+plugins: [lastLoginMethodClient()],
+},
+},
+);
+
+const headers = new Headers();
+await client.signIn.email(
+{
+email: testUser.email,
+password: testUser.password,
+},
+{
+onSuccess(context) {
+cookieSetter(headers)(context);
+},
+},
+);
+const cookies = parseCookies(headers.get("cookie") || "");
+// Uses exact cookie name from config, not affected by cookiePrefix
+expect(cookies.get("last_login_method")).toBe("email");
+});
+
+it("should work with cross-subdomain and custom prefix", async () => {
+const { client, testUser } = await getTestInstance(
+{
+baseURL: "https://auth.example.com",
+advanced: {
+cookiePrefix: "custom-auth",
+crossSubDomainCookies: {
+enabled: true,
+domain: "example.com",
+},
+},
+plugins: [lastLoginMethod()],
+},
+{
+clientOptions: {
+plugins: [lastLoginMethodClient()],
+},
+},
+);
+
+await client.signIn.email(
+{
+email: testUser.email,
+password: testUser.password,
+},
+{
+onResponse(context) {
+const setCookie = context.response.headers.get("set-cookie");
+expect(setCookie).toContain("Domain=example.com");
+expect(setCookie).toContain("SameSite=Lax");
+// Uses exact cookie name from config, not affected by cookiePrefix
+expect(setCookie).toContain(
+"better-auth.last_used_login_method=email",
+);
+},
+},
+);
+});
+
+it("should work with cross-origin cookies", async () => {
+const { client, testUser } = await getTestInstance(
+{
+baseURL: "https://api.example.com",
+advanced: {
+crossOriginCookies: {
+enabled: true,
+},
+defaultCookieAttributes: {
+sameSite: "none",
+secure: true,
+},
+},
+plugins: [lastLoginMethod()],
+},
+{
+clientOptions: {
+plugins: [lastLoginMethodClient()],
+},
+},
+);
+
+await client.signIn.email(
+{
+email: testUser.email,
+password: testUser.password,
+},
+{
+onResponse(context) {
+const setCookie = context.response.headers.get("set-cookie");
+expect(setCookie).toContain("SameSite=None");
+expect(setCookie).toContain("Secure");
+// Should not contain Domain attribute for cross-origin
+expect(setCookie).not.toContain("Domain=");
+expect(setCookie).toContain(
+"better-auth.last_used_login_method=email",
+);
+},
+},
+);
+});
+
+it("should handle cross-origin on localhost for development", async () => {
+const { client, testUser } = await getTestInstance(
+{
+baseURL: "http://localhost:3000",
+advanced: {
+crossOriginCookies: {
+enabled: true,
+allowLocalhostUnsecure: true,
+},
+defaultCookieAttributes: {
+sameSite: "none",
+secure: false,
+},
+},
+plugins: [lastLoginMethod()],
+},
+{
+clientOptions: {
+plugins: [lastLoginMethodClient()],
+},
+},
+);
+
+await client.signIn.email(
+{
+email: testUser.email,
+password: testUser.password,
+},
+{
+onResponse(context) {
+const setCookie = context.response.headers.get("set-cookie");
+expect(setCookie).toContain("SameSite=None");
+// Should not contain Secure on localhost when allowLocalhostUnsecure is true
+expect(setCookie).not.toContain("Secure");
+expect(setCookie).toContain(
+"better-auth.last_used_login_method=email",
+);
+},
+},
+);
+});
+});

packages/better-auth/src/plugins/last-login-method/index.ts

@@ -97,13 +97,21 @@ export const lastLoginMethod = <O extends LastLoginMethodOptions>(
 },
 handler: createAuthMiddleware(async (ctx) => {
 const lastUsedLoginMethod = config.customResolveMethod(ctx);
-lastUsedLoginMethod &&
-ctx.setCookie(config.cookieName, lastUsedLoginMethod, {
+if (lastUsedLoginMethod) {
+// Inherit cookie attributes from Better Auth's centralized cookie system
+// This ensures consistency with cross-origin, cross-subdomain, and security settings
+const cookieAttributes = {
+...ctx.context.authCookies.sessionToken.options,
 maxAge: config.maxAge,
-secure: false,
-httpOnly: false,
-path: "/",
-});
+httpOnly: false, // Override: plugin cookies are not httpOnly
+};
+
+ctx.setCookie(
+config.cookieName,
+lastUsedLoginMethod,
+cookieAttributes,
+);
+}
 }),
 },
 ],