I have looked into this issue a little and in order for a session to be impersonated or hijacked the session identifier would need to be obtained first. From what I have seen and read this vulnerability occurs when using session id's that occur from a get variable. I'm not aware of any of our code that relies on this method for the session variable. So impersonating a session or hijacking it should not be of concern with the code our tools produce. If you have some other info about this or a specific issue associated with this please let us know.