The default, Apache::Session::Generate::MD5, does MD5->hexhash(time(). {}. rand(). $$)/ Systems such as ASP under IIS appear to have session ID's that are partially determined by the client headers the (User-agent, Accept, etc.)

PS> I was horrified re-reading the Apache::Session documentation that in the SYNOPSIS they place a cc number in the session data.

--
perl -pe "s/\b;([st])/'\1/mg"