Certainly for unix-only apps this is a good choice for a session ID expect in really extenuating circumstances, but like others have suggested, you should combine it with a checksum. The uniqueness of time().$$ is good, but as with any user-supplied data (in this case, the users browser supplies it back to the server) you need to add something so that a malicious remote user can't fake the session of another user. A vaguely common (though not bulletproof) method would be to combine the two values with a 3rd secret value, in some mathematical way (eg ($$ * $secret) + $time) then take the modulus of that and another secret.

Something like $checksum = (($$ * $secret) + $time) % $someprime

When you need to access a users session, take their $$ and $time from the cookie, do the same maths on them, and verify that the calculated checksum is the same as the one in the users cookie.

the hatter

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.