I have updated from Debian 4 (etch) to Debian 5 (lenny), with a lot of upgrade (php, mysql, lighttpd, etc).

The board, now, is able to see only IPv4-mapped address into IPv6. I'm not sure for what reason this happens (php? the web server?)

The strong problem is that during the IP checking, the regex expressions don't detect an IPv4-mapped address.
As a result, all users/bot connections come from localhost (127.0.0.1).

You can imagine what a big issue is this. One for all, the ip-based ban filter stops to work.

I have done a very simple patch I have deployed in a small-to-medium board (averaging ~30 users online).
It seems to work fine.

In the patch I suppose you perform the IP check against $_SERVER["REMOTE_ADDR"] only in session_begin() from includes/session.php.
After that you use always the value stored in $session->ip.
Is this assertion correct?