Forum OpenACS Development: Re: Session Identifier Not Updated
i haven't mentioned anything is this direction. The change  is in acs-tcl/tcl/security-procs.tcl and adresses the regeneration of session-ids when the privilege level changes during login (recommended be owasp.org). You find material concerning "externally created session identifiers" on Wikipedia . There are more possible attacks against session-ids, that are not handled in OpenACS, but these address only sessions of not-logged-in users. As soon a user is logged in, the login cookie secures the session-ids strongly. Security checkers looking only at the session-id will generate false positives.