Issue #11738: Deprecate $g_session_key configuration option

We don't need to use a unique 'session_key' configuration option anymore
as we can just derive a unique key from $g_crypto_master_salt.

config_defaults_inc.php

@@ -234,13 +234,6 @@
  */
 $g_session_handler = 'php';
 
-/**
- * Session key name. Should be unique between multiple installations to prevent
- * conflicts.
- * @global string $g_session_key
- */
-$g_session_key = 'MantisBT';
-
 /**
  * Session save path.  If false, uses default value as set by session handler.
  * @global bool $g_session_save_path

core/obsolete.php

@@ -155,3 +155,4 @@
 config_obsolete( 'show_queries_threshold', 'show_log_threshold' );
 config_obsolete( 'show_queries_list' );
 config_obsolete( 'administrator_email', 'webmaster_email' );
+config_obsolete( 'session_key' );

core/session_api.php

@@ -102,7 +102,7 @@ function __construct( $p_session_id=null ) {
 		global $g_cookie_secure_flag_enabled;
 		global $g_cookie_httponly_flag_enabled;
 
-		$this->key = config_get_global( 'session_key' );
+		$this->key = hash( 'whirlpool', 'session_key' . config_get_global( 'crypto_master_salt' ), true );
 
 		# Save session information where specified or with PHP's default
 		$t_session_save_path = config_get_global( 'session_save_path' );