http://www.perlmonks.org?node_id=17088


in reply to unique session id

Incremental generation of ids is not very secure, because a user could easily hijack someone else's session just by bumping his/her session id up or down.

I've also seen security problems with random session ids, though. For example, the WebX message board system, a popular commercial BBS. It uses some very funky session IDs to track logins. However, it also allows limited HTML, including hyperlinks. So, all I need to do is add a hyperlink into my message that leads to a CGI script on a server I control. The CGI script reads the HTTP_REFERER info, and forwards it to me via email. Now I have that user's session ID, and if I get there before their session times out, I can hijack their session and forge messages, mess with configuration settings, etc.

Just things to consider when you are going to be using session IDs.