Would someone mind taking a look at http://dev.rubyonrails.org/ticket/7952 ?
It patches CGI::Session to reject session IDs in GET and POST parameters. Among other things, it prevents a possible session fixation attack. There is an override for anyone who needs the old behavior: session :cookie_session_id_only => false.
Koz and I discussed this a month or two ago. If there is anything needed on this, let me know. (In particular, this is a hard behavior to test without making a parallel change to TestRequest. If this can be tested without unnecessary duplication, do tell!)