Lots of code does something like this to generate some kind of secret:
sha1(random())
Why not simply use a random number? I realize that in the past, some OS random generators weren't so great, but I'm not sure that's still true, and even if it were, how does sha1'ing it make it better?
I suspect that most often the hash function is misused as encoding function. One needs an alphanumeric code of a certain length, and the hash provides such a string. It's easy and it looks unpredictable.
It is easy to forget, that the random part of md5(random()) are not the 32 hex characters of the md5, instead there will be only as many possible results as the random() function delivers. If one knows how the random function works, one could precalculate a range of possible values.
The code would be more random (better entrophy), if you really used the random source of the OS, and request as many bytes as seems necessary. Those bytes you can then encode with a function like base64_encode(). For tokens, a base62 encoding would be ideal, because it is very compact and doesn't return special characters, though it's a bit hard to implement.
To answer your question: A random number would be better, but it has to be "really" random. If you use it as alphanumberic numbers with only '0'-'9', then your token will be long, it can be shortened with an encoding function.