Fixed a bug (thanks to Márcio Lima for the bug report!), and improved security by passing a unique ID, not a userid, to/from the client.