Aha, I see it now (and your changes to sec_handler, at least in my version of OACS - the 4.6.3 docs on openacs.org dont show your changes)
So I can start to understand sec_handler better; what is the difference between the session_id cookie and the user_login cookie?