Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -N -r1.74.2.10 -r1.74.2.11
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl	14 Feb 2014 19:38:26 -0000	1.74.2.10
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl	25 Jul 2014 23:33:11 -0000	1.74.2.11
@@ -419,6 +419,12 @@
         # the empty string
         set prev_user_id [ad_conn user_id]
 
+	#
+	# Change the session id for all user_id changes, also on
+	# changes from user_id 0, since owasp recommends to renew the
+	# session_id after any privilege level change
+	#
+        #if { $prev_user_id != 0 && $prev_user_id != $new_user_id } 
         if { $prev_user_id != 0 && $prev_user_id != $new_user_id } {
             # this is a change in identity so we should create
             # a new session so session-level data is not shared