we should only reset a sessionhash if you login from reviewpost.
If you go to your reviewpost after logging in from vb
what are the cookies.
I may need to see a url and test login to check out cookies. See we simply grab a userid from the session table if there is no vbuserid.