37
Well, let me see if I got this right: the old link, the one listed in an IRC channel, did stop working but now you can do it again with a new session value? If this isn't the case, we need to understand how/where the sessionid is being kept (could be a cookie?), but if you got a brand new sessionid... let's say we'll have to think a bit harder to try to solve that
I don't think that session hijacking needs the remember me hack, because when I monitor my xoops_sessions the same session is used for my IP when I log in again (same user, same IP). Now, since that table stores both session ID and IP, it seems logical that some kind of check using the IP should be happening and I'm not sure if it is (or whether the hack could have removed that).
Again, if any of you want to explore this kind of issue in my server, PM me and we can work it out.