In the session section of php.ini there is a directive called session.entropy_length.
I'm aware that it's used to make the generation of the Session ID "more random".
How does it make the Session ID more random?
What is the maximum length?
What if it's length exceeds the bits of the hash in use?
session_id is an hash of the client IP address (32 bits), the current timestamp and microseconds (52 bits), and a value generated from the php combined lcg(), a Psuedo Random Number Generators (PRNG) function (64 bits). The entropy is 148 bits. However, this number should not be considered as an absolute minimum value, as IP address and timestamp are well know from who creates the session.
When an undesirably low amount of entropy is available, it's possible to reconstructing the PRNG's seed from the session id. With the fact that PHP reuses the same entropy sources between different generators, this is even more easier.
The seed is used to generate other pseudorandom values, so if the attacker can obtain the seed value he can predict all the future output (including, but not only, mt_rand() and rand). That's not good.
session.entropy_length is the number of bytes which will be read from the entropy file, usually /dev/urandom or /dev/arandom (from documentation).
If you provide a random source like /dev/random, then the entropy is greater, and the strength of the generated session_id is stronger.