When a user with a valid remember-me cookie accesses the login page, the loginView() method in LoginController redirects already-logged-in users without preserving cookies.

Bug Location:
vendor/codeigniter4/shield/src/Controllers/LoginController.php:34

Current Code:

  public function loginView()
  {
      if (auth()->loggedIn()) {
          return redirect()->to(config('Auth')->loginRedirect());  // ❌ Missing ->withCookies()
      }
      // ...
  }

Expected Code:

  public function loginView()
  {
      if (auth()->loggedIn()) {
          return redirect()->to(config('Auth')->loginRedirect())->withCookies();  // ✅ Fixed
      }
      // ...
  }

Impact:

When Session::checkRememberMe() validates a remember-me token, it calls refreshRememberMeToken() which:

Generates a new validator
Updates the hashed validator in database
Sends a new cookie via setRememberMeCookie()
However, the redirect at line 34 doesn't include ->withCookies(), so the new cookie is lost. The browser keeps the old cookie with the old validator, which no longer matches the updated hash in the database.

On the next visit, authentication fails with:
hash_equals($token->hashedValidator, $hashedValidator) === false // Session.php:631

Steps to Reproduce
Enable remember-me: $sessionConfig['allowRemembering'] = true
Login with remember-me checkbox checked
Wait for token refresh (or clear session to trigger remember-me authentication)
Access login page → redirect happens but new cookie is lost
Next visit → authentication fails because cookie validator doesn't match database hash
Expected Output
Expected Code:

  public function loginView()
  {
      if (auth()->loggedIn()) {
          return redirect()->to(config('Auth')->loginRedirect())->withCookies();  // ✅ Fixed
      }
      // ...
  }

=> The token will be refreshed in the cookie