That sounds like a good idea. The overhead need not be too great, as you only do it when creating a new session. For the fake attempts, you only need to compare it with the valid session IDs.

--roboticus