Re: Generating unique session ids

Tomasz Ostrowski <tometzky@batory.org.pl> writes:
> * When somebody knows md5('secret_salt' || '5') he will be able to
> easily compute
>     md5('secret_salt' || '50')
>     md5('secret_salt' || '51')

Sure, but can't you fix that by putting the secret part at the end?

> * PostgreSQL integers (as returned by nextval()) are 4 bytes. This
> means only 32 bit strength - much too low for today computers.

Um, nextval returns int8.

> * Any database user is most of the time able to read function
> bodies, so anybody who is able co connect to your database will be
> able to get your 'secret_salt' and then predict session id's.

Yeah, it's not clear where to hide the secret.

            regards, tom lane