That's one of many reasons for being ultra-cautious before accepting Unicode in a programming language. It's fine in string literals, but I for one am not convinced for anything else.
Of course you can always restrict Unicode support to avoid all these weird "characters", but I'm not so sure it's even possible, given the gigantic number of Unicode characters available.
And of course same should be done for file names if possible.
Anyway, "interesting" that Unicode be a potential source of security holes.
And that said, the core point with session IDs is a freaking disaster. Good thing if it makes more people aware of that.
Google is particularly bad with this actually (even if it's far from being the only one.)
Take your Google accounts - you can stay connected to them almost indefinitely. On your mobile phone, it's always connected. You enter your account password ONCE when configuring your phone, and that's it. It never asks for it ever again. In a web browser with gmail, almost the same thing. I have a tab opened with one gmail account. It stays open almost all the time, and it almost never gets disconnected on its own. Sure that's convenient for users, but that's a disaster security-wise.