Here are some settings from php.ini that will help make the Session ID a lot stronger: (Entropy length and file are the most important, depending on the system they will use a CSPRNG)
; How many bytes to read from the file.
session.entropy_length = 1024
; Specified here to create the session id.
; Defaults to /dev/urandom
; On systems that don't have /dev/urandom but do have /dev/arandom,
; this will default to /dev/arandom
; If neither are found at compile time, the default is no entropy file.
; On windows, setting the entropy_length setting will activate the
; Windows random source (using the CryptoAPI)
session.entropy_file = /dev/urandom
; Select a hash function for use in generating session ids.
; Possible Values
; 0 (MD5 128 bits)
; 1 (SHA-1 160 bits)
; This option may also be set to the name of any hash function supported by
; the hash extension. A list of available hashes is returned by the hash_algos()
session.hash_function = 1 ; or sha256 sha512 etc
; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
; Possible values:
; 4 (4 bits: 0-9, a-f)
; 5 (5 bits: 0-9, a-v)
; 6 (6 bits: 0-9, a-z, A-Z, "-", ",")
; Default Value: 4
; Development Value: 5
; Production Value: 5
session.hash_bits_per_character = 6