ee91d179 introduced a slightly different
tracking system for detecting sessions. Instead of completely disabling the
session system for AJAX and cron requests, it detects if the session is new
or not based on the session_id() and existing data in the session backend.

However, the patch did not correctly determine if a session was new.
Instead, it flagged all session as existing. This patch fixes the detection
of existing session data so that AJAX and cron requests can operate without
writing session data to the backend.

DISABLE_SESSION define is changed so that existing session are continued
but new sessions are not saved. This allows external auth backends to
redirect to an external site and that site redirect back to a `/api` URL and
the user's session will be continued.

This is necessary to make sure session data is saved on redirect.

And deadband session token updates to 1 per 30 seconds

8e72e521 (v1.7.1.2+) introduced a bug where
osTicket version 1.6 would not send a cookie (by calling PHP
session_start()) for the login page. Therefore, after unpacking the 1.7.1
source code, an upgrade would not be possible, because a login would never
be processed correctly.

if the domain given in HTTP_HOST variable happens to have a port
specification. Technically, the port specification should not be included in
the domain spec given in the cookie.

(And for the record, that makes no sense to me, seeing as a cookie would
otherwise be valid for all servers on any ports at a particular domain).

Web browsers don't appreciate a cookie domain without any dots. This patch
detects the originally-requested domain for the request. If the domain does
not contain dots (such as 'localhost' or the name of a local server on your
network defined in your hosts file), no cookie domain is sent.

The greatest symptom of this issue what the illustrious 'Invalid CSRF token'
seen repeatedly on the scp login page. The reason is that the browser was
rejecting the cookie from the server.

Fixes #677, #672, #653

Web browsers don't appreciate a cookie domain without any dots. This patch
detects the originally-requested domain for the request. If the domain does
not contain dots (such as 'localhost' or the name of a local server on your
network defined in your hosts file), no cookie domain is sent.

The greatest symptom of this issue what the illustrious 'Invalid CSRF token'
seen repeatedly on the scp login page. The reason is that the browser was
rejecting the cookie from the server.

Fixes #677, #672, #653

Which will help against clobbering session cookies against other PHP
applications shared on a parent domain of the domain hosting osTicket or in
a parent folder or virtual folder.

Disable DB session storage. This chews up database space and processing time
for a request that will never resume the same session (given the current API
model anyway).

- timezone_offset was dropped from the config table at 1.7-dpr1
- upgrader: only apply five patches in one request
- upgrader: fix readPatchInfo to work correctly
- session: support migrating from 1.6 (again)
- config: support migrating from 1.6 (fallback)
- config: no default for 'isonline' setting
- config: fix SQL whitespace issue for schema signature fallbacks
- config: hash 1.6 versions in the schema signature lookup
- upgrader: fix logging bug in attachment migration

Allow (a subset of) the configuration to also be saved in the session to
make session-backed data more consistent and compatible with up-and-coming
multi-site setups.

Drop required usage of MyISAM tables, and drop fulltext indexes as they
are not used in the code currently anyway. Also, use a blob to store
session data so as not to waste space with UTF-8 encoding. Lastly, fix
session_id storage to use VARCHAR(255) which is required for versions
of MySQL < 5.0.3, and use ascii for the storage model for the
session_id as it will contain simple characters only.

Migrate the PHP session from disk to database live. To pull this off, the
session contents are written to database under the current session id. When
the `ostversion` column is dropped from the %config table, the system will
automatically switch to database-backed sessions in osTicket 1.7 mode.

This is sort-of hacked together by carefully calling a instance method of
the osTicketSession class statically, and modify the instance method to
support static invocation.