Tomasz Ostrowski <tometzky@batory.org.pl> writes:
> * When somebody knows md5('secret_salt' || '5') he will be able to
> easily compute
> md5('secret_salt' || '50')
> md5('secret_salt' || '51')
Sure, but can't you fix that by putting the secret part at the end?
> * PostgreSQL integers (as returned by nextval()) are 4 bytes. This
> means only 32 bit strength - much too low for today computers.
Um, nextval returns int8.
> * Any database user is most of the time able to read function
> bodies, so anybody who is able co connect to your database will be
> able to get your 'secret_salt' and then predict session id's.
Yeah, it's not clear where to hide the secret.
regards, tom lane