Config settings to define the web GUI session cookie name

[Kage]

This PR makes the PHP session cookie name configurable so that OPNsense sessions are not locked to the PHP default PHPSESSID. This allows multiple OPNsense web GUIs to operate on the same hostname or IP without interfering with each other (e.g. multiple OPNsense VMs with an SSH tunnel to the vhost to access them).

The configuration will only permit alphanumeric names. If a session name setting is not provided, it defaults to opnsense.

Fixes #8365

[darkk]

This allows multiple OPNsense web GUIs to operate on the same hostname or IP

I would strongly advice against that. Every OPNsense instance will get all the cookies in this case as you suggest to replace PHPSESSID with something that is possibly unique for every node.

Imagine one of that nodes getting compromised. It'll allow lateral movement as the attacker will get access to possibly-active sessions on other nodes with the very first GET / without any password entry.

If you have multiple OPNsense web GUIs on the same IP, you'd rather use different ports. Speaking of ssh -L lll:a.b.c.d:rrr case — pick an unique ${lll} port for each instance.

If you have multiple OPNsense web GUIs on the same hostname, I'd suggest to use subdomains & CNAMEs. It'll be more reliable solution.