Merge pull request #8166 from kenjis/docs-csrf-cookie-warning

docs: add warning on CSRF cookie and redirect()

Author: kenjis

user_guide_src/source/libraries/security.rst

@@ -107,7 +107,9 @@ Token Regeneration
 ------------------
 
 Tokens may be either regenerated on every submission (default) or
-kept the same throughout the life of the CSRF cookie. The default
+kept the same throughout the life of the Session or CSRF cookie.
+
+The default
 regeneration of tokens provides stricter security, but may result
 in usability concerns as other tokens become invalid (back/forward
 navigation, multiple tabs/windows, asynchronous actions, etc). You
@@ -116,6 +118,10 @@ may alter this behavior by editing the following config parameter value in
 
 .. literalinclude:: security/004.php
 
+.. warning:: If you use Cookie based CSRF protection, and :php:func:`redirect()`
+    after the submission, you must call ``withCookie()`` to send the regenerated
+    CSRF cookie. See :ref:`response-redirect` for details.
+
 .. note:: Since v4.2.3, you can regenerate CSRF token manually with the
     ``Security::generateHash()`` method.