Issue #2572643 by alexpott, attiks, Jelle_S, jhodgdon: Fix Drupal.Commenting.FileComment coding standard

Issue #2437761 by Dom., znerol: CSRF token seed and possibly other session data lost when set after a session regenerate

Issue #1987572 by mrded, vijaycs85, Sean Buscay: Convert session_test() callbacks to a new style controller.

Issue #1668866 by ParisLiakos, aspilicious, tim.plunkett, pdrake, g.oechsler, dawehner, Berdir, corvus_ch, damiankloip, disasm, marcingy, neclimdul: Replace drupal_goto() with RedirectResponse.

Issue #200344 by Pancho, pillarsdotnet, pdrake, sun: Remove user_module_invoke() and rename user_login_block() to user_login_block_form().

Issue #1772584 by andypost, gumanist, nod_: Get rid of user_login_block() & user_login() in favour of user_login_form().

Nate Lampton authored Oct 30, 2011 and catch committed Nov 01, 2011

Issue #22336 by quicksketch, scor, boombatower, and rfay. Move all core Drupal files under a core subdirectory.

- Patch #502190 by jhodgdon, stella, sun: hook implementation headers out of compliance with standards.

- Patch by #1577 by chx, boombatower, Bèr Kessels, kkaefer: made SSL support a bit easier by providing two cookies and ... hook_goto_alter.

- Patch #497612 by Moshe Weitzman et al: harden user login by correctly using the form API.  Complete commit now.  Thank you, thank you.

- Patch #201122 by c960657, Moshe Weitzman: never write anonymous sessions, unless something has been written to . This is an important performance improvements -- as long as you use modules that use  carefully. It might be good to report some analytics about this in the performance settings page so administrators can see if there is a 'broken' module.

- Patch #280934 by pwolanin, swentel, et al: harden session regeneration.  It took a while, but it comes with tests and extra features now.

- Patch #243532 by Damien Tournoud et al: catch notices, warnings and fatal errors during testing.  Woop, woop.