If you’re asking a question like that, it probably means you don’t know anything about cryptography or security. Trying to generate a “long random string” because, as you say, “The PHPSESSID is not secure enough” will probably lead you to a custom and insecure implementation.

Generating a random string is IMPOSSIBLE, at least not with your current hardware: you may approximate a fair pseudorandom generator but that is only useful for educational purposes.

PHP’s Session ID generation algorithm is fairly efficient; if you think it is not secure enough, then you’ll likely waste time making it better. You may probably want to use a different authentication mechanism if you are looking at maximum security (using a client certificate for example).

If websites such as Twitter, Facebook, or another site with similar traffic use longer session IDs, it may be not because it is more secure (well in a way), but rather because it avoids conflicts.

Finally, if you want a longer session ID without trying to write your own algorithm, you should use the following PHP configuration directive:

session.hash_function which can take any hash algorithm known by PHP.

You may also want to use session.bits_per_characters to shorten or lengthen the string. Note that if you do this, the string may be longer or shorter, but the data remains the same — only represented differently (base 16, base 32, etc.)

Additional info:

You may also increase the entropy by using a custom source (file) and setting the length of the seed:

ini_set("session.hash_function", "sha512");
ini_set("session.bits_per_charater", 4); // 4 means hex
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");