Designing your own random number generator in a high-level language is a terrible, terrible idea.
:) FWIW, merlyn didn't design it, he copied from the fallback Apache::Session::Generate::MD5
I don't know from entrophy and randomness, but this isn't encryption we're dealing with, no authentication or authorization, no financial transactions -- if the attacker has access to the application, guessing doesn't get him anything he didn't already have access to
You might like Re^3: Randomness encountered with CGI Session where afoken talks bits
FYI/FMI Session::Token - Portable, secure, efficient, simple random session token generation that satisfies those OWASP recommendations