Setting session IDs is security-sensitive. Dynamically setting session IDs with client-supplied data or insecure hashes may lead to session fixation attacks and may allow an attacker to hijack another user's session.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Sensitive Code Example

session_id(customHash($user));
// or
session_id($_POST["hidden_session_id"]);

Compliant Solution

session_regenerate_id();
// or
$sessionId = bin2hex(random_bytes(16));
session_id($sessionId);

See