You are of course correct that a truely random number would be secure. In fact my approach of ID + secret just moves the randomness to a different part.
I prefer the id + secret route because it is easier to deal with in the database. The id can be a integer which the indexes like and the secret is just a char(30) or whatever. Having the id as an integer allows for easy referencing from other tables. There is also the cosmetic appeal of seeing how many sessions you have gone through...
--tidiness is the memory loss of environmental mnemonics