The "io" cookie is created by socket.io, and its purpose is to offer an handle
to perform load balancing with session stickiness when the library falls back to
long polling or below.
In Etherpad's case, if an operator needs to load balance, he can use the
"express_sid" cookie, and thus "io" is of no use.
Moreover, socket.io API does not offer a way of setting the "secure" flag on it,
and thus is a liability.
Let's simply nuke it.
References:
https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancinghttps://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
When using plugins, the express server gets restarted. When we do that,
the socketio-server should also get restarted. It doesn't. That means
that all the events in SocketIORouter.js are bound twice, which causes
chaos all over etherpad.
This changes our socketio.js so it fully recreates the io-instance when
we restart the server.
introduced in 95e7b0f156, but catching
that would have been hard.
