Tom,
We run ACS 4.2 on our public site (deseretbook.com), and use OpenACS for our Intranet (let's call it intranet.deseretbook.com), which is not accessible to the public.
Some versions of IE--I forget which exactly, though I think it was 5.5, will send back cookies for the wrong host.
For example, if an employee logged into the public website initially the ad_session_id cookie (and the various others) would get set for DeseretBook.com. Then when they went to log into the internal Intranet site IE 5.5 would send that cookie.
OpenACS would attempt to validate the ad_session_id token. Naturally this validation would fail since each site uses totally different sec_security_tokens, so OpenACS issues a new ad_session_id cookie for intranet.deseretbook.com. However, IE would refuse to set the cookie because it already had one(!) and the two hosts didn't match (intranet.deseretbook.com != deseretbook.com).
Inspite of nominally having Netscape as the "official" internal web browser, far too many people still used IE. We ended up modifying the ad_get_cookie and ad_set_cookie procs on the OpenACS side to pre-pend a unique identifier to the cookie name(s) being get/set.
