Correct me if I'm wrong, but is what you're describing essentially how authentication is added to ajax jquery with some extra factors included?
Secure AJAX Authentication without SSL http://www.codeproject.com/Articles/265305/Secure-Ajax-Authentication-without-SSL
The flaw/hack in this sort of thing is not the length/strength of the hash, but how the integrity of the exchange is preserved, such as how the server side validates input. So if the attacker can steal or set the session ID, then the fact that he cannot guess the ID is a moot point (ergo, what problem are you trying to solve).
So, for example, if the application allows a POST to get flipped to a GET, then all the obfuscation goes out the window. Overall using PKI key-pairs for symmetric encryption is preferable to hashing (e.g. the RSA Javascript library or jsccryptolib is a simpler way to do this).
If what you're doing is something like .net, then nevermind.
I have no idea if this helps but....
Evernote is popular for organizing ideas.
I was recently playing around with http://todo.ly - They have an Android app and maybe an iphone one too? I dunno if they have import/export.
Appigo on the mac has a free task sync app.
Obviously, a lot of people use Google calendar if they have Gmail or Google Apps. I don't know if that counts as a goal tracking app.