This is an old thread, but in case anyone is still interested, I ran across some possibly useful information.

RFC 2104 makes some recommendations on shortening hash output for use with message authentication codes (MACs). They seem to think 80 bits is enough for that purpose. The SSH transport layer allows a 96-bit shortened MAC. This stuff is black magic. Of course, the original question wasn't really about a MAC anyway, but it seems related.

Here's an article which tells why you shouldn't use mod_usertrack for authentication. They suggest using Apache::Cookie::Encrypted. I've never tried it, myself.