Safe session IDs

From: Ryan M Harris (rmharris@acdinc.net)
Date: 01/10/02


From: "Ryan M Harris" <rmharris@acdinc.net>
To: <secprog@securityfocus.com>
Date: Thu, 10 Jan 2002 12:38:09 -0500

What is the most secure way of generating a session number?

I have used the following formula in the past. Is it secure (from a
randomness perspective)? Any way to make it more secure/random?

sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from
here) + microtime() )

Ryan M Harris