Depends on session.hash_function and session.hash_bits_per_character.
Check out the session_id page for more info.
The higher you set session.hash_bits_per_character the shorter your
session_id will become by using more bits per character. The possible
values are 4, 5, or 6.When using sha-1 for hashing (by setting
ini_set(‘session.hash_function’, 1) the following session string
lengths are produced by the three session.hash_bits_per_character
settings:4 – 40 character string
5 – 32 character string
6 – 27 character string