It depends on these configuration settings:
[session.hash_function and [url=http://php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character]session.hash_bits_per_character](http://php.net/manual/en/session.configuration.php#ini.session.hash-function)
Shorter session ID lengths have the higher chance of collision, but this also depends a lot on the ID generation algorithm. Given the default settings, the length of the session ID should be appropriate for most applications. For higher-security implementations, you may consider looking into how PHP generates its session IDs and check whether it's cryptographically secure. If it isn't, then you should roll your own algorithm with a cryptographically secure source of randomness.