md5(microtime()). You might think it’s more secure than
md5(rand()), but it isn’t.
With a decent amount of tries and a method of syncing (like a clock on your website) one can predict the result of
microtime() to the millisecond. This only leaves about a 1000 different possible return values for
microtime() to be guessed. That isn’t safe.
Just stick with
md5(rand()), and if you’re lucky and
rand() is backed by
/dev/random you won’t even need the
md5(). In both cases it will be quite a lot more secure than using