This patch fixes a vulnerable scenario, where sequential login attempts can
be made without an existing session, and without a valid CSRF token. This
scenario lends itself well for brute force password attempts, because
attackers can avoid using a session and still send requests to determine if
a set of credentials are valid. This vector also avoids the authentication
lockout mechanism, because it requires an ongoing session to shutdown the
requests.

This patch addresses the issue by requiring a session and a valid CSRF token
generated by the server and placed in the session to be submitted with the
credentials. Therefore, an existing session and a Cookie header are required
to process a login attempt. Secondly, the CSRF token will be changed on the
server after each login processed. Therefore, for each session, a subsequent
GET request would be necessary before submitting another login attempt.

and restarts PHP SESSION

Also include
  * username validation -- no spaces or weird chars
  * no longer base64 encoded sha1-hex hash for CSRF token
  * refresh login page every two hours to keep session active

Protect againts cross-site request forgery attacks by requiring a special
form-field or header to be sent with requests that modify ticket system
data.

This meant a slight change to the AJAX ticket locking mechanism. It was
defined to lock with a GET request; however, GET requests are defined as
safe methods and should not modify backend data (such as a lock
acquisition). Therefore, the the lock acquire AJAX method was changed to
require a POST method.

Also remove old, no-longer-used staff panel include files