That kind of security is pretty tough to assess. I don't see there being an automated tool for that sort of thing, because assessing the risk level of any method requires an understanding of the technology involved (cookies, URL mangling, etc.) , what kind of clients are going to use it (can people read this from public kiosks, or can you tie them down to a particular (group of) workstations?), and human psychology. A lot also depends on how you're identifying individuals. Can you use cookies AND SSL? If so, you might set a cookie with a session ID and the 'secure' flag set to identify your users. Look up "MD5" on this site for some pointers on generating good session IDs.
As for protecting the security of the files on the server, anything that can't be made to run safely under taint mode (-T) should be avoided.