As a well tested and proven module, I think that you may want to look into how Apache::Session generates ids. The below code was taken directly from Apache::Session::Generate::MD5.
Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$))
It basically takes an MD5 checksum of a MD5 checksum of a string like this 1072203122HASH(0x80f915c)0.43483996817758877220. It generates a 32 character long string like af68382107551b68473e6a7836ab372e. I would consider that to be pretty unique and unguessable.