What is the length of a PHP session id string?

Depends on session.hash_function and session.hash_bits_per_character.

Check out the session_id page for more info.

The higher you set session.hash_bits_per_character the shorter yoursession_id will become by using more bits per character. The possiblevalues are 4, 5, or 6.

When using sha-1 for hashing (by settingini_set('session.hash_function', 1) the following session stringlengths are produced by the three session.hash_bits_per_charactersettings:

4 - 40 character string

5 - 32 character string

6 - 27 character string

@sachleen answer isn't full.
More detailed info about session id length is described here.

Summary:

128-bit digest (MD5)  4 bits/char: 32 char SID    5 bits/char: 26 char SID    6 bits/char: 22 char SID160-bit digest (SHA-1)4 bits/char: 40 char SID    5 bits/char: 32 char SID    6 bits/char: 27 char SID

And sample regex to check session id:

preg_match('/^[a-zA-Z0-9,-]{22,40}$/', $sessionId)

It depends on these configuration settings:session.hash_function and session.hash_bits_per_character

Shorter session ID lengths have the higher chance of collision, but this also depends a lot on the ID generation algorithm. Given the default settings, the length of the session ID should be appropriate for most applications. For higher-security implementations, you may consider looking into how PHP generates its session IDs and check whether it's cryptographically secure. If it isn't, then you should roll your own algorithm with a cryptographically secure source of randomness.