Bug: Remember-me token refresh fails in loginView() - missing ->withCookies() on redirect

[tomatlscomm]

PHP Version

8.3

CodeIgniter4 Version

4.6.3

Shield Version

1.2.0

Which operating systems have you tested for this bug?

macOS

Which server did you use?

apache

Database

10.11.13-MariaDB

Did you customize Shield?

No

What happened?

[Note : i used Claude Code to redact the text below, bug the issue has been traced by a human]

When a user with a valid remember-me cookie accesses the login page, the loginView() method in LoginController redirects already-logged-in users without preserving cookies.

Bug Location:
vendor/codeigniter4/shield/src/Controllers/LoginController.php:34

Current Code:

  public function loginView()
  {
      if (auth()->loggedIn()) {
          return redirect()->to(config('Auth')->loginRedirect());  // ❌ Missing ->withCookies()
      }
      // ...
  }

Expected Code:

  public function loginView()
  {
      if (auth()->loggedIn()) {
          return redirect()->to(config('Auth')->loginRedirect())->withCookies();  // ✅ Fixed
      }
      // ...
  }

Impact:

When Session::checkRememberMe() validates a remember-me token, it calls refreshRememberMeToken() which:

1. Generates a new validator
2. Updates the hashed validator in database
3. Sends a new cookie via setRememberMeCookie()

However, the redirect at line 34 doesn't include ->withCookies(), so the new cookie is lost. The browser keeps the old cookie with the old validator, which no longer matches the updated hash in the database.

On the next visit, authentication fails with:
hash_equals($token->hashedValidator, $hashedValidator) === false // Session.php:631

Steps to Reproduce

1. Enable remember-me: $sessionConfig['allowRemembering'] = true
2. Login with remember-me checkbox checked
3. Wait for token refresh (or clear session to trigger remember-me authentication)
4. Access login page → redirect happens but new cookie is lost
5. Next visit → authentication fails because cookie validator doesn't match database hash

Expected Output

Expected Code:

  public function loginView()
  {
      if (auth()->loggedIn()) {
          return redirect()->to(config('Auth')->loginRedirect())->withCookies();  // ✅ Fixed
      }
      // ...
  }

=> The token will be refreshed in the cookie

Anything else?

No response

[datamweb]

Great catch!
Since the redirect() creates a new Response instance, any cookies set in the global response (like the refreshed remember-me token) are indeed dropped unless withCookies() is explicitly called.

Would you be open to submitting a Pull Request for this fix?

[tomatlscomm]

Done