The common practice is to use a unique ID and use an SHA1 digest with a secret salt to prevent tampering with the ID. No need to build your own when CGI::Session is already there.