If a session can be easily determined ("session fixation attacks"), then an attacker can try to force a legit user to use a session ID that he knows. Thus, when the user is authenticated, he will share the same session ID than the attacker and all its privileges on the web application.

Ask Yourself Whether

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Sensitive Code Example

session_id(customHash($user));
// or
session_id($_POST["hidden_session_id"]);

Compliant Solution

session_regenerate_id();
// or
$sessionId = bin2hex(random_bytes(16));
session_id($sessionId);

See