Not correct LOGIN process documentation using API or bug

When i POST auth/login with correct user name and password it returns http status 200 with header ‘Set-Cookie: CAKEPHP=ephvljg3afl4bju5d6n7m59fpj; path=/; HttpOnly’ and not expected csrfToken. To get csrfToken i should call auth/checkSession and this is not documented in schema description.

I think that this is bug and Login POST as a result should return CAKEPHP and csrfToken.

Also it is not clear what to do when token is near expiration end. What should be token renewal procedure?