Index: t3lib/stddb/tables.sql
===================================================================
--- t3lib/stddb/tables.sql	(Revision 8770)
+++ t3lib/stddb/tables.sql	(Arbeitskopie)
@@ -48,6 +48,7 @@
   ses_tstamp int(11) unsigned DEFAULT '0' NOT NULL,
   ses_data longtext,
   ses_backuserid int(11) NOT NULL default '0',
+  ses_verihash varchar(40) DEFAULT '' NOT NULL,
   PRIMARY KEY (ses_id,ses_name)
 );
 
Index: t3lib/class.t3lib_userauth.php
===================================================================
--- t3lib/class.t3lib_userauth.php	(Revision 8770)
+++ t3lib/class.t3lib_userauth.php	(Arbeitskopie)
@@ -157,6 +157,7 @@
 
 		// Internals
 	var $id;							// Internal: Will contain session_id (MD5-hash)
+	protected $veriHash = '';			// Internal: Verify Hash used in combination with the veriCode (vC)
 	var $cookieId;						// Internal: Will contain the session_id gotten from cookie or GET method. This is used in statistics as a reliable cookie (one which is known to come from $_COOKIE).
 	var $loginFailure = FALSE;			// Indicates if an authentication was started but failed
 	var $loginSessionStarted = FALSE;	// Will be set to true if the login session is actually written during auth-check.
@@ -245,6 +246,10 @@
 			// Internal var 'id' is set
 		$this->id = $id;
 
+			// Set the verify hash:
+		$veriHash = t3lib_div::_GP('vH');
+		$this->veriHash = ($veriHash ? $veriHash : sha1($this->id));
+
 			// If fallback to get mode....
 		if ($mode=='get' && $this->getFallBack && $this->get_name)	{
 			$this->get_URL_ID = '&'.$this->get_name.'='.$id;
@@ -762,7 +767,8 @@
 			'ses_iplock' => $tempuser['disableIPlock'] ? '[DISABLED]' : $this->ipLockClause_remoteIPNumber($this->lockIP),
 			'ses_hashlock' => $this->hashLockClause_getHashInt(),
 			'ses_userid' => $tempuser[$this->userid_column],
-			'ses_tstamp' => $GLOBALS['EXEC_TIME']
+			'ses_tstamp' => $GLOBALS['EXEC_TIME'],
+			'ses_verihash' => $this->veriHash,
 		);
 	}
 
@@ -787,6 +793,10 @@
 		}
 
 		if ($statement && $user) {
+			if (!$this->id) {
+				$this->id = $user['ses_id'];
+			}
+
 				// A user was found
 			if (is_string($this->auth_timeout_field))	{
 				$timeout = intval($user[$this->auth_timeout_field]);		// Get timeout-time from usertable
@@ -912,15 +922,16 @@
 				$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
 					'*',
 					$this->session_table . ',' . $this->user_table,
-					$this->session_table . '.ses_id = :ses_id
+					$this->session_table . '.ses_verihash = :ses_verihash
 						AND ' . $this->session_table . '.ses_name = :ses_name
 						AND ' . $this->session_table . '.ses_userid = ' . $this->user_table . '.' . $this->userid_column . '
 						' . $ipLockClause['where'] . '
 						' . $this->user_where_clause()
 				);
 				$statement->bindValues(array(
-					':ses_id'     => $this->id,
-					':ses_name'   => $this->name,
+					':ses_id'       => $this->id,
+					':ses_name'     => $this->name,
+					':ses_verihash' => $this->veriHash,
 				));
 				$statement->bindValues($ipLockClause['parameters']);
 			}
@@ -1012,10 +1023,19 @@
 	 * @return	string
 	 */
 	public function veriCode() {
-		return substr(md5($this->id . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10);
+		return substr(md5($this->veriHash . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10);
 	}
 
 	/**
+	 * Gets the current veriHash.
+	 *
+	 * @return string
+	 */
+	public function getVeriHash() {
+		return $this->veriHash;
+	}
+
+	/**
 	 * This returns the where-clause needed to lock a user to a hash integer
 	 *
 	 * @return	string
Index: typo3/js/flashupload.js
===================================================================
--- typo3/js/flashupload.js	(Revision 8770)
+++ typo3/js/flashupload.js	(Arbeitskopie)
@@ -280,6 +280,7 @@
 			swfConfig.post_params            = Ext.value(this.uploadPostParams, this.swfDefaultConfig.post_params);
 			// add the veriCode from the backend.php to verify the session with the flash client
 			swfConfig.post_params.vC         = top.TS.veriCode;
+			swfConfig.post_params.vH         = top.TS.veriHash;
 			swfConfig.file_types_description = Ext.value(this.uploadFileTypesDescription, this.swfDefaultConfig.file_types_description);
 			this.setFileTypeRestrictions(this.uploadFileTypes);
 			return swfConfig;
Index: typo3/backend.php
===================================================================
--- typo3/backend.php	(Revision 8770)
+++ typo3/backend.php	(Arbeitskopie)
@@ -386,6 +386,7 @@
 			'inWorkspace' => $GLOBALS['BE_USER']->workspace !== 0 ? 1 : 0,
 			'workspaceFrontendPreviewEnabled' => $GLOBALS['BE_USER']->user['workspace_preview'] ? 1 : 0,
 			'veriCode' => $GLOBALS['BE_USER']->veriCode(),
+			'veriHash' => $GLOBALS['BE_USER']->getVeriHash(),
 			'denyFileTypes' => PHP_EXTENSIONS_DEFAULT,
 			'moduleMenuWidth' => $this->menuWidth - 1,
 			'topBarHeight' => (isset($GLOBALS['TBE_STYLES']['dims']['topFrameH']) ? intval($GLOBALS['TBE_STYLES']['dims']['topFrameH']) : 30),
@@ -480,6 +481,7 @@
 		this.navFrameWidth = 0;
 		this.securityLevel = TYPO3.configuration.securityLevel;
 		this.veriCode = TYPO3.configuration.veriCode;
+		this.veriHash = TYPO3.configuration.veriHash;
 		this.denyFileTypes = TYPO3.configuration.denyFileTypes;
 	}
 	var TS = new typoSetup();
Index: typo3/sysext/cms/ext_tables.sql
===================================================================
--- typo3/sysext/cms/ext_tables.sql	(Revision 8770)
+++ typo3/sysext/cms/ext_tables.sql	(Arbeitskopie)
@@ -186,6 +186,7 @@
   ses_tstamp int(11) unsigned DEFAULT '0' NOT NULL,
   ses_data blob,
   ses_permanent tinyint(1) unsigned DEFAULT '0' NOT NULL,
+  ses_verihash varchar(40) DEFAULT '' NOT NULL,
   PRIMARY KEY (ses_id,ses_name)
 ) ENGINE=InnoDB;