Bug 23371: Fix CSRF similar to r64677 covering the other three execute()
branches. Checks added to mailPassword() and addNewAccountInternal()
(covers addNewAccount & addNewAccountMailPassword).
Paranoia: Use different tokens for login and account creation.
*For wikis allowing public account creation, an attacker could create
many accounts via proxying users, avoiding ip blocks, the anon gets
logged in (wikis using ConfirmEdit to request a captcha for createaccount
are protected from this).
*If the victims were logged users, the attacker could create the
accounts by email and flood innocent parties using the wiki as gateway.
*If the victim was a sysop, the attacker could not only bypass the
captcha protection, but also the username blacklist.
*It also provides a way to bypass the blocks and ping limit for sending
many password resets flooding its targets.
*On private wikis an account creation by targeting a sysop may expose
confidential information.