Skip to content

fix: Remember-me token refresh fails in loginView() - missing ->withCookies() on redirect #1305 #1306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tomatlscomm wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix: Remember-me token refresh fails in loginView() - missing ->withCookies() on redirect #1305 #1306

tomatlscomm wants to merge 1 commit into from

Conversation

@tomatlscomm
Copy link

@tomatlscomm tomatlscomm commented Jan 8, 2026

When a user with a valid remember-me cookie accesses the login page, the loginView() method in LoginController redirects already-logged-in users without preserving cookies.

Bug Location:
vendor/codeigniter4/shield/src/Controllers/LoginController.php:34

Current Code:

  public function loginView()
  {
      if (auth()->loggedIn()) {
          return redirect()->to(config('Auth')->loginRedirect());  // ❌ Missing ->withCookies()
      }
      // ...
  }

Expected Code:

  public function loginView()
  {
      if (auth()->loggedIn()) {
          return redirect()->to(config('Auth')->loginRedirect())->withCookies();  // ✅ Fixed
      }
      // ...
  }

Impact:

When Session::checkRememberMe() validates a remember-me token, it calls refreshRememberMeToken() which:

Generates a new validator
Updates the hashed validator in database
Sends a new cookie via setRememberMeCookie()
However, the redirect at line 34 doesn't include ->withCookies(), so the new cookie is lost. The browser keeps the old cookie with the old validator, which no longer matches the updated hash in the database.

On the next visit, authentication fails with:
hash_equals($token->hashedValidator, $hashedValidator) === false // Session.php:631

Steps to Reproduce
Enable remember-me: $sessionConfig['allowRemembering'] = true
Login with remember-me checkbox checked
Wait for token refresh (or clear session to trigger remember-me authentication)
Access login page → redirect happens but new cookie is lost
Next visit → authentication fails because cookie validator doesn't match database hash
Expected Output
Expected Code:

  public function loginView()
  {
      if (auth()->loggedIn()) {
          return redirect()->to(config('Auth')->loginRedirect())->withCookies();  // ✅ Fixed
      }
      // ...
  }

=> The token will be refreshed in the cookie

@datamweb datamweb added the tests needed Pull requests that need tests label Jan 8, 2026
@tomatlscomm tomatlscomm changed the title Bug: Remember-me token refresh fails in loginView() - missing ->withCookies() on redirect #1305 fix: Remember-me token refresh fails in loginView() - missing ->withCookies() on redirect #1305 Jan 8, 2026
@datamweb datamweb added the bug Something isn't working label Jan 8, 2026
@datamweb
Copy link
Collaborator

datamweb commented Jan 8, 2026

Please write unit tests for this change.

https://github.com/codeigniter4/CodeIgniter4/blob/develop/contributing/pull_request.md#sending-a-pull-request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working tests needed Pull requests that need tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomatlscomm @datamweb