Ken Williams wrote: > If you have the additional requirement that the unique values shouldn't > be easily *guessable*, that becomes a very hard problem, precisely > because "random" and "unique" are such poor friends. Usually people > just cheat by generating a large random ID such that the probability of > it being already-used is low, and then they check all the previous IDs > to make sure.
The requirement to prevent guessing is usually aimed at security and preventing "session hijacking" and similar attacks (and believe me, this kind of attack is very common). Another way to do this is to use a MAC like MD5 or SHA1, as described in the Eagle book and O'Reilly's CGI book. This makes it very difficult for an attacker to generate a valid ID, even if the sequence of IDs is predictable. - Perrin
