As I remember you can specify login credentials as API function CallCreate parameters. Then session id should be active just for one operation. This way web services should not get messed with users session id.
Not sure though. You have to make thorough testing or wait till any VSM guru will comment here.