Incremental generation of ids is not very secure, because
a user could easily hijack someone else's session just by
bumping his/her session id up or down.
I've also seen security problems with random session ids,
though. For example, the WebX
message board system, a popular commercial BBS. It uses some
very funky session IDs to track logins. However, it also allows
limited HTML, including hyperlinks. So, all I need to do is
add a hyperlink into my message that leads to a CGI script
on a server I control. The CGI script reads the HTTP_REFERER
info, and forwards it to me via email. Now I have that user's
session ID, and if I get there before their session times
out, I can hijack their session and forge messages, mess with
configuration settings, etc.
Just things to consider when you are going to be using session
IDs.