I checked this yesterday night. The pass_hash is well retrieved, but modifying the pass_hash and the user id in the cookies (thanks to BurpSuite) does not affect the behaviour of the server... I might have done something wrong...

[ reply ]