Forum OpenACS Development: Response to Login/Security tokens without cookies
This would probably be easier on ACS-Java because I did a modification to support different mount points; required replacing all hard-coded links and using a "get context path" method to get the context path. So you're down to just the include-session-id-in-get-context-path-method and check-context-path-for-session-id steps. The standard Java session handling won't work for ACS-Java because
a) It isn't database backed,
b) it requires you to call a method around every URL, and the system wasn't written that way,
c) it uses a URL variable rather than a directory, so it doesn't work "for free" on relative links (see b)
Finally, you'd want to make sure the session ID encodes & checks at least part of the IP, and probably have faster timeouts than normal, so that people don't accidentally e-mail their login to their friend.
It's an easy enough change that I think it should really be done, it's a nice feature and can reduce frustration/customer support "your site is broken" requests.