1. It is never a good idea to use a PID, GID, or machine related value as even a seed for an ID. It can easily result in identical values being generated. In fact I tested this. Using a dual PIII-933 machine with mod-perl and an ID based on pid and time as you are proposing, I got the same ID produced on 31 ocassions out of 2,350,000 requests and on one ocassion got the same ID 4 times in succession. Very very insecure!
2. Using Apache::Session or CGI::Session (I prefer the latter - it is much more flexible and works much the same - it is modelled on the former.) using MD5 hashes is good. Even better is using SHA-1 digest pattern which is 160 bits long rather than the 128 bits of the MD-5 digest.
3. You should change the cookie-id regularly - if you can. If you tie the value to your session then make sure the session does not persist across browser sessions. If it does, then you should track authentication on top of that.
4. I take the MD5 session value from CGI::Session, concatenate the TIME with it and the username then I encrypt the whole lot using Blowfish. That way I can decrypt on the next request and make sure that the time value is the same as that which I have in the session record so that I can be sure that requests are being handled serially. If I get a time skip then I have either lost a request or a response, if this occurs more than once in 64 request/response cycles then either their is something funny going on or the client has an extremely poor connection!

jdtoronto