I often create a session key with MD5 or Digest::SHA1. Into it I feed a string of concatenated system values, usually including time(), $$, username if it's a system where I have this, and I intersperse rand values in there.

I also add to that string a string of secret text that's either hardcoded or pulled from a file statically so that the SHA isnt being generated from a 100% dynamic bit of text that someone reading my code could figure out how to pattern analyze my sessionid's and predict one.

Something akin to...

use Digest::SHA1;
my $sessID = sha1(time . rand . $$ . rand . $username . rand . $secret
+bits);
[download]

Now, I'm no cryptographer, and I don't play one on TV. I'm sure Bruce Schneier would look at that and laugh.

It may be overkill, but when it comes to security I like to err on the side of paranoia. If I was just tracking sessions to customize someone's text, there's no real risk in hijacking. My sessions, however, are usually tracking someone to control access to hidden sections of a site.