Prevent SSO fixation attacks against WebGUI by modifying Operation/SSO to log the user in as the user with a different session, and to require a flag in the config file to enable it. This feature will be removed in WebGUI 8. Fixes bug #12004.

etc/WebGUI.conf.original

@@ -1097,6 +1097,9 @@
 # An array of SPAM words.  Used in the Post and WikiPage to block spam by sending the asset directly
 # to the trash.
    "spamStopWords" : [
-   ]
+   ],
+
+# A flag to enable a very simple SSO mechanism using sessionIds.
+   "enableSimpleSSO" : 0
 
 }