Regenerating the ID protects against session fixation, where an attacker takes someone else's session ID as their own by adjusting the session ID in their cookies.
As an example situation:
- I go to www.nsa.gov on Edward Snowden's computer while he's at lunch.
- I note his
PHPSESSID
cookie. - I wait for him to log in to the super-secure system.
- I can now set my
PHPSESSID
value to his and have his access.
Regenerating the session on login and privilege escalation means the ID I'd grabbed is now useless.