>Isn't 32 character a bit excessive? From 8 character haxadecimal randomised
>userids there are about 4.3 billion possible strings. Even if you have
>10,000 active sessions this means that the hacker would still need to guess
>430,000 times before getting lucky!
>With 8 characters the index will be quicker.
>IMO, if you do not want to reduce the size of the userid then benchmark both
>of your ideas.
Maybe he was generating the strings with the MD5() function; it returns
a 32-character string.
Paul DuBois, paul@stripped