GUIDs get used a lot in creating unique user IDs and session keys for web applications. I've always wondered about the safety of this practice. Since the GUID is generated based on information from the machine, and the time, along with a few other factors, how hard is it to guess of likely GUIDs that will come up in the future.

.NET Web Applications call Guid.NewGuid() to create a GUID which is in turn ends up calling the CoCreateGuid() COM function a couple of frames deeper in the stack.

From the MSDN Library:

The CoCreateGuid function calls the RPC function UuidCreate, which creates a GUID, a globally unique 128-bit integer. Use the CoCreateGuid function when you need an absolutely unique number that you will use as a persistent identifier in a distributed environment.To a very high degree of certainty, this function returns a unique value – no other invocation, on the same or any other system (networked or not), should return the same value.

And if you check the page on UuidCreate:

The UuidCreate function generates a UUID that cannot be traced to the ethernet/token ring address of the computer on which it was generated. It also cannot be associated with other UUIDs created on the same computer.

The last contains sentence is the answer to the question. So I would say, it is pretty hard to guess. 

If someone kept hitting a server with a continuous stream of GUIDs it would be more of a denial of service attack than anything else; essentially the need to track request and failed request.

The possibility of someone guessing a GUID is next to nil.