When a session ID is created, the ID isn't checked for uniqueness usually. Verifying uniqueness is a big overhead when dealing with billions of records.
I was wondering what length of a random session ID string should be enough to rely on for uniqueness in a production service, as big as Gmail for example.
Any other suggestions to maintain a proper session uniqueness will be welcome.
Thanks,
Roy.
Instead of randomly generating your own number, why not...
If you use a 128-bit random number, then you have a 1 in 3.40282366921e+38 chance of getting a duplicate. Assuming your numbers are truly random.
If you have a fairly good random number generator, a random 128-bit ID (such as a GUID) should be always unique in practice (mathematically speaking, there's a tiny tiny chance that there will be duplicates, but trust me, it's not going to happen. The universe will collapse in a giant black hole before there will be a duplicate GUID.)
A SHA-256 hash of some piece of user data and the current full time with as much resoution as is available should get you something sufficiently unique.