Is it sufficiently random? Maybe, I don't know much about that. (I would just use one of the random number modules from CPAN.) However, it's not guranteed to be unique. It is unlikely but possible for this to generate the same ID for multiple live sessions, causing mayhem for those users. I think it's much safer to use mod_unique_id and then use a digest-based authentication to make sure that the cookie is valid and comes from you. This method is described here.