in reply to
Re: Secure Session ID values
in thread Secure Session ID values
Certainly for unix-only apps this is a good choice for a session ID expect in really extenuating circumstances, but like others have suggested, you should combine it with a checksum. The uniqueness of time().$$ is good, but as with any user-supplied data (in this case, the users browser supplies it back to the server) you need to add something so that a malicious remote user can't fake the session of another user. A vaguely common (though not bulletproof) method would be to combine the two values with a 3rd secret value, in some mathematical way (eg ($$ * $secret) + $time) then take the modulus of that and another secret.
Something like $checksum = (($$ * $secret) + $time) % $someprime
When you need to access a users session, take their $$ and $time from the cookie, do the same maths on them, and verify that the calculated checksum is the same as the one in the users cookie.