string-random | Generate random string

There are a number of reasons why you might get unsuitable IDs:

• The server or browser may be caching a response (unlikely in this case, but always worth investigating).

• The random number generator was initialized in a server process that then forks a worker process for each request. The worker processes then inherit the RNG state. For plain CGI, this is unlikely because a new process is forked and execed for each request.

• The random number generator was initialized with a weak seed, e.g. srand(time). Since time() has a 1-second resolution, you'll get the same seed for all processes started within a second. It is not recommended to manually initialize srand() unless you want to get repeatable “random” number sequences.

• The built-in random() function may use a low-quality algorithm. It is absolutely not suitable for cryptographic purposes. Use a module that guarantees a particular PRNG and is seeded with a proper entropy source.

• Random numbers may occur multiple times. For true randomness you can calculate the collision probabilities with the Birthday Paradox. Unless the collision probability is astronomically small, your application needs to be able to avoid duplicate IDs.

If you're just trying to generate unique IDs without any security properties, use an existing generation algorithm (e.g. UUIDs).

In a pinch, you can easily generate such IDs based on PID + current time + a per-process sequence number:

• The PID is unique per machine for a some time, typically hours (though possibly less when the machine is rebooted or has a low pid_max).
• PID + time with at least second resolution should be a unique process identifier over the existence of a machine (ignoring time zone shenanigans).
• To avoid assigning the same ID if multiple IDs are requested within a second, add a per-process counter.

Note that such IDs are predictable, and shouldn't be used to designate security-sensitive data. Applying a hash function does not add any protection, but conveniently boxes the ID into a fixed width. These IDs are unsuitable when they must be unique across multiple machines.

If you're just trying to generate tempfiles, use an existing module such as File::Temp.