Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -r1.78.2.63 -r1.78.2.64
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl	12 Sep 2018 08:30:37 -0000	1.78.2.63
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl	5 Nov 2019 10:12:58 -0000	1.78.2.64
@@ -248,6 +248,17 @@
                 } else {
                     set auth_level ok
                 }
+                #
+                # In case there is no session_id, do not trust the
+                # provided cookie, since it might be stolen. In
+                # general, session cookies are recreated on the fly
+                # for the current user, but we do not want this in
+                # cases, when we have already a "valid" login cookie.
+                #
+                if {[ad_conn session_id] eq ""} {
+                    ns_log warning "downgrade auth_level of user $untrusted_user_id since session_id invalid"
+                    set auth_level expired
+                }
             }
         }