Forum OpenACS Q&A: Response to lynx, cookies and ACS sessions
Encoding the cookie values seems a good solution to me, though you'd have to allow for "converting" old non-encoded cookies too, unless you wish to break all current stored cookies!
Cookies are set in only 17 or so .tcl files within OpenACS 3.2.4. Hand hacking these places to use ns_urlencode would be pretty straightforward from a quick scan of the relevant code (do something like
grep -ri Set-Cookie *
at the top of your ACS tree to find them).
Finding the places where cookies are searched for in the headers (to attempt decoding in each place) is marginally more interesting, but I suspect that something like
egrep -ri "ns_set get .*Cookie" *
will find them, and again there are not too many places to hack in a call to ns_urldecode.