May be you are right that the oacs version I'm having in the project open application is not the latest one.
i haven't mentioned anything is this direction. The change [1] is in acs-tcl/tcl/security-procs.tcl and adresses the regeneration of session-ids when the privilege level changes during login (recommended be owasp.org). You find material concerning "externally created session identifiers" on Wikipedia [2]. There are more possible attacks against session-ids, that are not handled in OpenACS, but these address only sessions of not-logged-in users. As soon a user is logged in, the login cookie secures the session-ids strongly. Security checkers looking only at the session-id will generate false positives.
-gn
[1] http://cvs.openacs.org/changelog/OpenACS?cs=oacs-5-8%3Agustafn%3A20140725233311
[2] http://en.wikipedia.org/wiki/Session_fixation
