Uses a seven step procedure:
  1. (user) Fails to login twice or more
  2. Clicks the 'Forgot my password' link on the login form
  3. Submits the username or email address and triggers a password-reset
     email
  4. Clicks the link in the email and is directed back to the reset page
  5. Enters the username or email again and is logged in
  6. Password change is forced, but current password is not required
  7. Password is updated, user can continue the session without
     authenticating again

Change the config table from a column-based table to a key-value table
with namespacing. This allows several parts of osTicket to store their
respective configurations in the same table without requiring database
structure updates

'namespace' is reserved in PHP

* Collapse date settings into system settings.
* Move auto-cron setting to emails settings page.
* Move clickable urls setting to tickets settings page.

Protect againts cross-site request forgery attacks by requiring a special
form-field or header to be sent with requests that modify ticket system
data.

This meant a slight change to the AJAX ticket locking mechanism. It was
defined to lock with a GET request; however, GET requests are defined as
safe methods and should not modify backend data (such as a lock
acquisition). Therefore, the the lock acquire AJAX method was changed to
require a POST method.

Also remove old, no-longer-used staff panel include files