You are of course correct that a truely random number would be secure. In fact my approach of ID + secret just moves the randomness to a different part.
in reply to Re^3: Is this a secure way to prevent cookie tampering
in thread Is this a secure way to prevent cookie tampering
I prefer the id + secret route because it is easier to deal with in the database. The id can be a integer which the indexes like and the secret is just a char(30) or whatever. Having the id as an integer allows for easy referencing from other tables. There is also the cosmetic appeal of seeing how many sessions you have gone through...
--tidiness is the memory loss of environmental mnemonics