security fixes forward ported from Drupal 5.2 - previously not committed parts of http://drupal.org/cvs?commit=74833

- Patch #163191 by hswong3i: removed db_num_rows() for compatibility with Oracle and DB2.  Also a performance improvement.

- Patch #44947 by rkerr / Moshe: fixed race condition in session handling, reduced query overhead of session handling, reduced database overhead of session handling.

- Patch #44379 by Moshe: code improvements: always grant the 'authenticated user' role to authenticated users.  Fixed glitch with udpate path.

  up the documentation a little.

  chx: can you double-check whether the global $conf variable is secure?
       (That is, make sure it can't be send using the URL or something.)

  keep track of the user's last access. In turn, this allowed me to:

  1. Optimize the "Who's online" block.  On drupal.org, the "Who's online"
     block requires 32 SQL queries.  With this patch, only 2 queries are
     left (eliminated 30 SQL queries), and one of the two remaining queries
     became appr. 20 times faster.

  2. Correct the "Last access" column in the user administration overview
     table.  The presented data was not accurate, which led to the column
     being removed.  You can now sort users by 'last access'.

Drupal's existing caching mechanism doesn't perform well on highly dynamic websites in which the cache is flushed frequently. One example is a site that is under attack by a spambot that is posting spam comments every few seconds, causing all cached pages to be flushed every few seconds.  Loose caching immediately flushes the cache only for specific users who have modified cached data (whether or not they are logged in), delaying the flushing of data for other users by several minutes.

(I rewrote the help text a bit and made minor changes to the code comments.)

- Patch #15399 by adschar: fixed PHP5 error when a new session is inserted into the session table. (Better fix.)

- Patch #15399 by adschar: fixed PHP5 error when a new session is inserted into the session table.

- Performance improvement: made 'sid' the primary key of the sessions table.
  That should improve performance of session handling as well improve
  performance of the "Who's online"-block.  Drupal.org's sessions table
  contains appr. 40.000 sessions on a slow day and rendering the "Who's
  online"-block became a performance bottleneck.

  This change has yet to be tested on a busy site so things might go wrong.

- Patch by JonBob: for consistency and readability, add brief descriptions of each source file inside the @file comment block at the head of the file. This helps with Doxygen indexing, and also allows neophytes to see what a file does immediately on opening the source, regardless of the organization of the hooks.

- Added support for multiple user roles.  Patch by Jim Hriggs.

- Fixed bug in session query that prevented sessions to work on PostgreSQL.
  Patch by Adrian.

- Patch 4859: new drupal_unpack() consolidates duplicate code and makes it
  easy to show avatars next to nodes and comments.  Patch by Moshe.  As a
  showcase, maybe Xtemplate should have an option to enable/disable avatars?

- Fixed bug 4745: undefined warning in sess_read().

- Fixed race condition in session handler.  Patch by Kjartan.