Note that both of these have a risk of collision that cannot be reduced below 1/2^(number of actually random bits in the seed), no matter how many characters you decide to use in the session ID. This is perhaps a small risk in this particular case, but I thought the general problem should be mentioned.

On old versions of Perl, srand() isn't even called so that each solution will always produce the exact same ID.

Adam's is a better idea and nearly as simple. It only requires about 5 characters of ID. You can't have a collision unless 32000 processes are created within a single second on your server. If you have multiple computers doing sophisticated load balancing of web requests such that IDs need to be unique across machines, then you'll need to append some characters that are unique to a machine (what to use depends on how your load balancing is done).

        - tye (but my friends call me "Tye")