This addresses the `session_destroy()` warning many people are receiving
with PHP 7+. The warning states `PHP Warning:  session_destroy(): Session
callback expects true/false return value`. This is because our session
destroy method does not always return true/false, sometimes it returns
`int(1)`. This adds a check to see if the session was not deleted
successfully, if not it returns false, otherwise it returns true. This will
ensure `session_destroy()` always receives a true/false return value.

login: Fix CSRF fail, add shake effect on authentication fail #3955 (minor fix to SQL query generated)

This addresses issue 4015 where osTicket’s cookies aren’t HttpOnly by
default. The HttpOnly flag helps prevent client scripts accessing the
cookie. This updates the method that sets the cookie params to include
the HttpOnly flag.

This fixes an issue where the current session data is not retrieved from the
database, because it is expired. However, the session-id is not reset either.
Therefore, the session data with the new CSRF token is not updated in the
database and the user may have trouble logging in.

This problem manifests itself as a session expires. If a user clicks somewhere
in the software and their session is now expired, a redirect to the login page
is triggered. However, the CSRF token sent in the login page is not saved in
the database. So when the user logs in, they are greeted with the CSRF failure
message.

This issue is addressed by retrieving the session data from the database, but
clearing the content. Therefore it appears to the software as invalid and is
properly reset and saved to the database, thereby avoiding the errors.

This addresses an issue where expired sessions would not be removed from
the database. This caused the session table to fill up and create
unnecessary issues. This adds a cleanup method to remove all expired
sessions from the database.

Session backend issues update via write on new session which caused
assertion to fail.

Also, rename other apc_xxx functio to the new apcu_xxx equivalents available
since PHP 5.4.

This commit attempts to remove all coding standard warnings emitted by PHP
7.0.

This allows messages to be stashed in the session and displayed on a
following request. This will be pivotal in implementing the PRG
(post-redirect-get).

The PHP.ini default is 1440 seconds (24 minutes). This should be configured
to something significantly higher so that the settings in the admin panel
concerning session timeouts are relevant.

Ideally, the settings from the control panel would be used, but currently
there is an inter-dependency between session and config startups.

ee91d179 introduced a slightly different
tracking system for detecting sessions. Instead of completely disabling the
session system for AJAX and cron requests, it detects if the session is new
or not based on the session_id() and existing data in the session backend.

However, the patch did not correctly determine if a session was new.
Instead, it flagged all session as existing. This patch fixes the detection
of existing session data so that AJAX and cron requests can operate without
writing session data to the backend.

DISABLE_SESSION define is changed so that existing session are continued
but new sessions are not saved. This allows external auth backends to
redirect to an external site and that site redirect back to a `/api` URL and
the user's session will be continued.

This is necessary to make sure session data is saved on redirect.

And deadband session token updates to 1 per 30 seconds

8e72e521 (v1.7.1.2+) introduced a bug where
osTicket version 1.6 would not send a cookie (by calling PHP
session_start()) for the login page. Therefore, after unpacking the 1.7.1
source code, an upgrade would not be possible, because a login would never
be processed correctly.

if the domain given in HTTP_HOST variable happens to have a port
specification. Technically, the port specification should not be included in
the domain spec given in the cookie.

(And for the record, that makes no sense to me, seeing as a cookie would
otherwise be valid for all servers on any ports at a particular domain).

Web browsers don't appreciate a cookie domain without any dots. This patch
detects the originally-requested domain for the request. If the domain does
not contain dots (such as 'localhost' or the name of a local server on your
network defined in your hosts file), no cookie domain is sent.

The greatest symptom of this issue what the illustrious 'Invalid CSRF token'
seen repeatedly on the scp login page. The reason is that the browser was
rejecting the cookie from the server.

Fixes #677, #672, #653

Web browsers don't appreciate a cookie domain without any dots. This patch
detects the originally-requested domain for the request. If the domain does
not contain dots (such as 'localhost' or the name of a local server on your
network defined in your hosts file), no cookie domain is sent.

The greatest symptom of this issue what the illustrious 'Invalid CSRF token'
seen repeatedly on the scp login page. The reason is that the browser was
rejecting the cookie from the server.

Fixes #677, #672, #653

Which will help against clobbering session cookies against other PHP
applications shared on a parent domain of the domain hosting osTicket or in
a parent folder or virtual folder.

Disable DB session storage. This chews up database space and processing time
for a request that will never resume the same session (given the current API
model anyway).

- timezone_offset was dropped from the config table at 1.7-dpr1
- upgrader: only apply five patches in one request
- upgrader: fix readPatchInfo to work correctly
- session: support migrating from 1.6 (again)
- config: support migrating from 1.6 (fallback)
- config: no default for 'isonline' setting
- config: fix SQL whitespace issue for schema signature fallbacks
- config: hash 1.6 versions in the schema signature lookup
- upgrader: fix logging bug in attachment migration

Allow (a subset of) the configuration to also be saved in the session to
make session-backed data more consistent and compatible with up-and-coming
multi-site setups.

Drop required usage of MyISAM tables, and drop fulltext indexes as they
are not used in the code currently anyway. Also, use a blob to store
session data so as not to waste space with UTF-8 encoding. Lastly, fix
session_id storage to use VARCHAR(255) which is required for versions
of MySQL < 5.0.3, and use ascii for the storage model for the
session_id as it will contain simple characters only.

Migrate the PHP session from disk to database live. To pull this off, the
session contents are written to database under the current session id. When
the `ostversion` column is dropped from the %config table, the system will
automatically switch to database-backed sessions in osTicket 1.7 mode.

This is sort-of hacked together by carefully calling a instance method of
the osTicketSession class statically, and modify the instance method to
support static invocation.