Improve security reporting for https settings and user enumeration risk

Hi guys,

A penetration test recently commissioned for Totara identified two security risks that we decided did not require fixing, but that we did identify as security concerns that should be expressed on the security overview report.

The two concerns identified were:

1. User enumeration via login/signup.php
2. HTTPOnly and Secure flags not set on cookie

In regards to user enumeration, this is a known consequence of turning on self registration.
The same is true for several other scripts if the protectusernames has been turned off.
While this is a known consequence to developers it is not reflected on the security overview report and really ought to be.

In regards to HTTPOnly and secure flags, we had stated in our provisioning of the penetration testing that the site would not be run on HTTPS but that our recommendation is for all production sites to be run on HTTPS and that we have settings for several security improvements that can be enabled for a site running on HTTPS.
However after this was still reported we completed a review of these setting and identified that the security overview report does not reflect the nature of these settings.

I'll attach patches shortly that improve the information provided on the security overview report to deal with things.