Setting session IDs is security-sensitive. Dynamically setting session IDs with client-supplied data or insecure hashes may lead to session fixation attacks and may allow an attacker to hijack another user's session.
You are at risk if you answered yes to any of those questions.
session_regenerate_id(). bin2hex(random_bytes(16)) session_id(customHash($user)); // or session_id($_POST["hidden_session_id"]);
session_regenerate_id(); // or $sessionId = bin2hex(random_bytes(16)); session_id($sessionId);