Session Cookie Auth, Forgot-Password Timeouts, and Killing Flaky E2E Tests

The Auth Stack Was Wrong Hustle (hustlestats.io) is a youth soccer statistics platform built on Next.js 15 and Firebase. The auth system worked — until it didn't. Users were getting logged out after one hour despite having a 14-day cookie. The forgot-password flow was timing out with 504 errors. And the Playwright E2E tests were failing randomly on every other run. Three problems. Three different root causes. One painful week. Why Session Cookies Beat Raw ID Tokens Firebase ID tokens expire in one hour. That's by design — they're short-lived credentials for API calls. But Hustle was storing raw ID tokens in cookies with a 14-day maxAge: // BEFORE: Storing raw ID token (expires in 1 hour) response.cookies.set('__session', idToken, { maxAge: 60 * 60 * 24 * 14, // 14 days — but the token dies in 1 hour httpOnly: true, secure: useSecureCookie, sameSite: 'lax', }); The cookie lasted 14 days. The token inside it lasted 1 hour. After that hour, verifyIdToken() threw an error, and the user got