Behavior of session and verification tokens

[ScreamZ]

Hi, currently I'm using database with prisma to store session and verification tokens

About session

At this section of the documentation it's written:

When a Session is read, its expires field is checked to see if the session is still valid. If it has expired, the session is deleted from the database. You can also do this clean-up periodically in the background to avoid Auth.js extra delete call to the database during an active session retrieval. This might result in a slight performance increase.

I've been digging a bit in the source code and found this:

next-auth/packages/core/src/lib/actions/session.ts

Lines 93 to 100 in 24ef3f4

	// If session has expired, clean up the database
	if (
	userAndSession &&
	userAndSession.session.expires.valueOf() < Date.now()
	) {
	await deleteSession(sessionToken)
	userAndSession = null
	}

As far of my understanding, when you try to use a session that is expired, the storage engine remove it.

Here is my first question

¹ Am I responsible to clear verification token and session that expired but never get checked again using a regular task job to avoid overflow the database?

At first look, I would answer YES.

² For Upstash redis adapter, could be nice to use EXPIRE so this way the things get automatically cleared. What do you think ?

About Verification tokens

It's written clearly here same as ² the suggestions remains.

Due to users forgetting or failures during the sign-in flow, you might end up with unwanted rows in your database. You might want to periodically clean these up to avoid filling up your database with unnecessary data.

What do you think about those two things ?

Footnotes

1. Question 1 ↩

2. Second suggestion ↩ ↩²

[thaoms]

But what if your cookie expires, the sessions is never read again? Your old session becomes stale and you get a new one right?