Is it really safe to consider the generated order number unique?

[XFox]

Sorry if this is a silly question.
I'm developing a new payment module (based in HTML forms) and I'd like to use the order number generated by VirtueMart as the transaction code. As a requisite the transaction code has to be unique over all the transactions generated from my shop.
Digging into the VM code I found that the order number is generated by this code in the vm_ps_checkout class (ps_checkout.php file):

Code Select Expand

function get_order_number() {
global $auth;
   
/* Generated a unique order number */

$str = session_id();
$str .= (string)time();
   
$order_number = $auth['user_id'] .'_'. md5($str);
return substr($order_number, 0, 32);
}

It' clear that the returned order number always lacks some characters of the calculated MD5 hash. How many characters are actually lost depends on the length of the current user id value.

I have some question, thank you in advance for any answer:
1) Why have been chosen to prefix the md5 hash with the user_id, thus causing the resulting order number to lose some characters of the MD5 hash to fit the value in the varchar(32) order_number field of the jos_vm_orders table?
2) Does the lost of the last characters raise the probability of a collision (i.e. the generation of the same order number for a different order)?
3) I can only use 30 characters of the order_number for the transaction code. For an hypothetical order_number 62_ce7dcf96998096464cf1b533e4b89476, is it more advisable to use the first 30 characters or the last 30 ones for the transaction code?

TIA.

[cworthing]

They will all be unique.  The first digits before the _(underscore) are the Customers ID number(always the same if the customer uses his/her same account each time).  I use a truncated 9 characters which never will be generated more than once(well not never, if you have over 1,000,000,000 invoices it might happen with different Customer IDs but never the same.)

[stinga]

G'day,

The md5 on it's own I think will always be unique because of the session id part.
I am not sure what or how that is generated.
With the user_id attached it far more likely to be unique.
You have a choice...
Chopping off the last two bytes is probably worse than chopping off the first 2 bytes, why? Because of the way the md5 is calculated.
Using the first 30 bytes: If you have a large customer placing many orders you could get a duplication.
Using the last 30 bytes: If you have many order being placed you might get duplication.

I would want to know what session_id is and how it is generated.
The other option is to add the the user_id in the md5 so that to duplicate and order your would need the same customer committing an order at the exact same time.

What is the session_id?