The port is part of the session identifier. So you dont get any session info from port 8080 if you connect to port 80. I just verified that:
1) I logged into ispconfig on test.tld:8080
2) I created a website test.tld and added the file:
and opened test.tld/info.php in the same browser window without closing ispconfig nor closing the browser window and the output is:
Array ( )
Normally you should always connect to ispconfig trough the server hostname anyway, so if you dont trust the php session handler and want to add a second security level then you can set the server hostname in the ispconfig vhost so that only connections trough this hostname are possible.
For larger multiserver setups you use a dedicated controlpanel server, so there are no other vhosts on that server.