I wouldn't set a new cookie. As far as I know openacs3 issues a session cookie automatically if cookies are enabled on the client, also for non-registered users. You can use the ad_set_client_property and ad_get_client_property procs to associate values to the current session (see /doc/security-sessions.html on an OpenACS 3.x installation).
When a user logs in or registers the new user_id will be stored in the sec_sessions table, so the values will the be directly associated with the user when possible.