To further explain why one should never, ever use anything guessable for session ids:

A company of my acquaintance had a gallery system. People could upload pictures which, once approved, would appear in the gallery. The pictures that had not yet been approved were stored under the session name in a temporary (but publically-readable) directory. The session key was based on the current time and a simple incrementing counter.

An enterprising porn operator noticed the system, and very quickly worked out how to access the public URLs of uploaded files. In a short period of time the company was inadvertantly hosting more than 3GB of, um, interesting pictures.

This case is a combination of a few minor things not to do, but the total effect was potentially very damaging.