diff -ru typo3_src.orig/t3lib/class.t3lib_beuserauth.php typo3_src.new/t3lib/class.t3lib_beuserauth.php
--- typo3_src.orig/t3lib/class.t3lib_beuserauth.php	2010-01-11 11:46:50.000000000 +0100
+++ typo3_src.new/t3lib/class.t3lib_beuserauth.php	2010-01-11 12:24:18.000000000 +0100
@@ -364,49 +364,6 @@
 		}
 	}
 
-	/**
-	 * VeriCode returns 10 first chars of a md5 hash of the session cookie AND the encryptionKey from TYPO3_CONF_VARS.
-	 * This code is used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser...
-	 *
-	 * @return	string
-	 */
-	function veriCode()	{
-		return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10);
-	}
-
-
-	/**
-	 * The session_id is used to find user in the database.
-	 * Two tables are joined: The session-table with user_id of the session and the usertable with its primary key
-	 * if the client is flash (e.g. from a flash application inside TYPO3 that does a server request)
-	 * then don't evaluate with the hashLockClause, as the client/browser is included in this hash
-	 * and thus, the flash request would be rejected
-	 *
-	 * @return DB result object or false on error
-	 * @access private
-	 */
-	protected function fetchUserSessionFromDB() {
-		if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') {
-			// if on the flash client, the veri code is valid, then the user session is fetched
-			// from the DB without the hashLock clause
-			if (t3lib_div::_GP('vC') == $this->veriCode()) {
-				$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
-						'*',
-						$this->session_table.','.$this->user_table,
-						$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
-							AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
-							AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
-							'.$this->ipLockClause().'
-							'.$this->user_where_clause()
-				);
-			} else {
-				$dbres = false;
-			}
-		} else {
-			$dbres = parent::fetchUserSessionFromDB();
-		}
-		return $dbres;
-	}
 }
 
 
diff -ru typo3_src.orig/t3lib/class.t3lib_userauth.php typo3_src.new/t3lib/class.t3lib_userauth.php
--- typo3_src.orig/t3lib/class.t3lib_userauth.php	2010-01-11 11:46:50.000000000 +0100
+++ typo3_src.new/t3lib/class.t3lib_userauth.php	2010-01-11 12:25:38.000000000 +0100
@@ -842,10 +842,32 @@
 	/**
 	 * The session_id is used to find user in the database.
 	 * Two tables are joined: The session-table with user_id of the session and the usertable with its primary key
+	 * if the client is flash (e.g. from a flash application inside TYPO3 that does a server request)
+	 * then don't evaluate with the hashLockClause, as the client/browser is included in this hash
+	 * and thus, the flash request would be rejected
+	 * 
 	 * @return DB result object or false on error
 	 * @access private
 	 */
 	protected function fetchUserSessionFromDB() {
+		
+		if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') {
+			// if on the flash client, the veri code is valid, then the user session is fetched
+			// from the DB without the hashLock clause
+			if (t3lib_div::_GP('vC') == $this->veriCode()) {
+				$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+						'*',
+						$this->session_table.','.$this->user_table,
+						$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
+							AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
+							AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
+							'.$this->ipLockClause().'
+							'.$this->user_where_clause()
+				);
+			} else {
+				$dbres = false;
+			}
+		} else {
 		$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
 					'*',
 					$this->session_table.','.$this->user_table,
@@ -856,6 +878,7 @@
 						'.$this->hashLockClause().'
 						'.$this->user_where_clause()
 		);
+		}
 		return $dbres;
 	}
 
@@ -914,6 +937,16 @@
 	}
 
 	/**
+	 * VeriCode returns 10 first chars of a md5 hash of the session cookie AND the encryptionKey from TYPO3_CONF_VARS.
+	 * This code is used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser...
+	 *
+	 * @return	string
+	 */
+	function veriCode()	{
+		return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10);
+	}
+	
+	/**
 	 * This returns the where-clause needed to lock a user to a hash integer
 	 *
 	 * @return	string