security: stop setting the "io" cookie

The "io" cookie is created by socket.io, and its purpose is to offer an handle
to perform load balancing with session stickiness when the library falls back to
long polling or below.

In Etherpad's case, if an operator needs to load balance, he can use the
"express_sid" cookie, and thus "io" is of no use.

Moreover, socket.io API does not offer a way of setting the "secure" flag on it,
and thus is a liability.

Let's simply nuke it.

References:
  https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing
  https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)

src/node/hooks/express/socketio.js

@@ -16,7 +16,28 @@ exports.expressCreateServer = function (hook_name, args, cb) {
   // e.g. XHR is disabled in IE by default, so in IE it should use jsonp-polling
   var io = socketio({
     transports: settings.socketTransportProtocols
-  }).listen(args.server);
+  }).listen(args.server, {
+    /*
+     * Do not set the "io" cookie.
+     *
+     * The "io" cookie is created by socket.io, and its purpose is to offer an
+     * handle to perform load balancing with session stickiness when the library
+     * falls back to long polling or below.
+     *
+     * In Etherpad's case, if an operator needs to load balance, he can use the
+     * "express_sid" cookie, and thus "io" is of no use.
+     *
+     * Moreover, socket.io API does not offer a way of setting the "secure" flag
+     * on it, and thus is a liability.
+     *
+     * Let's simply nuke "io".
+     *
+     * references:
+     *   https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing
+     *   https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
+     */
+    cookie: false,
+  });
 
   /* Require an express session cookie to be present, and load the
    * session. See http://www.danielbaulig.de/socket-ioexpress for more