Deciding on session ID string lengh to assure uniqueness

Question

When a session ID is created, the ID isn't checked for uniqueness usually. Verifying uniqueness is a big overhead when dealing with billions of records.

I was wondering what length of a random session ID string should be enough to rely on for uniqueness in a production service, as big as Gmail for example.

Any other suggestions to maintain a proper session uniqueness will be welcome.

Thanks,

Roy.

Answer 1

If you have a fairly good random number generator, a random 128-bit ID (such as a GUID) should be always unique in practice (mathematically speaking, there's a tiny tiny chance that there will be duplicates, but trust me, it's not going to happen. The universe will collapse in a giant black hole before there will be a duplicate GUID.)

Answer 2

Instead of randomly generating your own number, why not...

• Use a GUID (128-bit)
• Use a string contained of the year, month, day, hour, minute, second, milliseconds or nanoseconds

If you use a 128-bit random number, then you have a 1 in 3.40282366921e+38 chance of getting a duplicate. Assuming your numbers are truly random.