I am running punbb on the same domain as another application, and I noticed sessions getting clobbered. I realize punbb always sets the hash argument to true when calling random_key(), making the existing regex work, but in my situation, I am deliberately sharing punbb sessions with this other application. The session IDs PHP's file session handler generates can contain uppercase letters, as well as commas and minus signs (see http://www.php.net/manual/en/function.session-id.php).
As a workaround I could write a fn_forum_session_start_start hook to override forum_session_start() but I'd like you to consider loosening the regex as in this patch.
Allow uppercase letters, '-' and ',' in session ID
"The , (comma) and - (minus) characters are allowed in the file session handler."