I take it back. It's not from a fresh install. Gilbert, do you have database passwords set to be encrypted? Because I do, and that's the source of the problem.
Take out the
if { [ad_parameter EncryptPasswordsInDBP "" 0] } {
set password [ns_crypt $password [ad_crypt_salt]]
}
block on line 238 of ad-security.tcl. This block is essentially saying "if the passwords are encrypted in the database, then encrypt the hexified password from the cookie (ad_user_login)." The only problem being that the hexified password is already the hexified encrypted password.
So what the session_id setter is trying to do is match the dehexified encrypted hexified encrypted password to the encrypted password from the database. Obviously those two won't be equal, so it assumes you're not logged in and proceeds accordingly.
Hope that wasn't too cryptic. Mine works now :)
