Somehow, I don't see how your "unique ID" is garanteed to be unique. You're just using a sequence of randomly picked word characters, aren't you?

If part of your session ID was the time() when the session started, perhaps encrypted and/or shuffled in a predetermined order, there's only so many sessions that could get started in that second. So if you now make sure the remainder of what your session ID string consists of, is unique for that starting second, then the session ID will be unique, period. And if that remainder is quite random and long enough to be very hard to guess, then hijacking a session seems very unlikely to me — but not impossible. I would think that recognizing attempts to break into a session, with repeated tries with various candidate session ID's, and taking appropriate action (whatever that may mean), would be the logical next step.