There is nothing wrong with shortening an md5 hash. Obviously it increases the possibility of a collision and you'll have to determine how many strings you are going to hash combined with the total number of possible outcomes for your chosen bitlength to determine the odds of a collision, but if you are using the md5 hash as a session identifier (as opposed to using it as a password hash -- that is, if someone gives you the md5 hash and you use that to look up some data rather than someone giving you some data and you running md5 on that data) you can loop until you have generated a unique id by adding a random character onto the end of the data being hashed.