It is according to the words of the guy who gave me that link.
I'm not sure, though, whether the same risk is also applicable to session_id() or not, if it is there's a much bigger problem.
It's not a solution or a thing to be reassured of. Security can't rely on actions taken by other persons (maybe).
That's what I mean. If someone brute-forces in the manner you're thinking, they're going to generate an obscene number of requests and even the most inept host is going to notice that. But with this technique, session stealing is potentially within the region of requests where hosts may or may not notice it.
What's the /dev/urandom thing?
EDIT: Ok, I read about urandom.. seems it's the maximum security method, but it's very likely slow, isn't it? It gathers all environmental data + the use of PRNG..