fix: regenerate CSRF token right after session regeneration

CSRF token is not updated when `security.regenerate = false`,
so if same-site attakcers know the CSRF token by session fixation attack,
CSRF attack is possible. To prevent it, regenerate CSRF token right after login.

Author: kenjis

src/Authentication/Authenticators/Session.php

@@ -20,6 +20,7 @@
 use CodeIgniter\Shield\Models\UserIdentityModel;
 use CodeIgniter\Shield\Models\UserModel;
 use CodeIgniter\Shield\Result;
+use Config\Services;
 use stdClass;
 
 class Session implements AuthenticatorInterface
@@ -568,6 +569,9 @@ public function startLogin(User $user): void
         // Regenerate the session ID to help protect against session fixation
         if (ENVIRONMENT !== 'testing') {
             session()->regenerate(true);
+
+            // Regenerate CSRF token even if `security.regenerate = false`.
+            Services::security()->generateHash();
         }
 
         // Let the session know we're logged in