For a very long time I have had problems with cookies and sessions.
The problem I have run into is that OpenACS uses several cookies when there should only be one session cookie.
The session cookie should be opaque, which means in this context that if you capture the session key you don't know anything else. The user_id, user state, etc. associated with the session is maintained on the server.
Some (maybe all?) versions of OpenACS encode the user_id in a cookie. The result is that some pages mislead the user and make it appear that the user is logged in, even after a session has expired. For OpenACS this is more important than for most applications.
The solution is to use only one cookie which contains only a session key.