I'm a little confused at this point. I think davorg's idea is a pretty good one, as it makes it possible to pass around the session ID and reconstruct the data on the server side. I suppose you could also construct the session-ID using a two-way algorithm rather than MD5 (i.e. use a method you can decode with the proper key ... the RSA algorithm isn't patented any more =)

What do you want to consider a "safe" deletion? After a certain time? (store an expiration date in the database for each hash) When a certain percentage of (unique) respondents have used the session ID? (Ditto, you update the dB for each unique respondent).

Philosophy can be made out of anything. Or less -- Jerry A. Fodor