This is a follow up ticket to the previous change of requiring cookies for sessions. Changes that should be included in this are mainly for better UX and also to ensure previously expected CSRF with forced session IDs still is valid with the new approach that does not use session IDs in URLs anymore.
These include, among others:
- Ensure login / logout is properly checked
- Ensure simple actions like marking of forums, subscribing, etc. are properly secured
- Default to having "Remember me" enabled
- Do not retrieve "sid" in URL unless force_sid is being used