If a session can be easily determined ("session fixation attacks"), then an attacker can try to force a legit user to use a session ID that he knows. Thus, when the user is authenticated, he will share the same session ID than the attacker and all its privileges on the web application.
There is a risk if you answered yes to any of those questions.
session_regenerate_id(). bin2hex(random_bytes(16)) session_id(customHash($user)); // or session_id($_POST["hidden_session_id"]);
session_regenerate_id(); // or $sessionId = bin2hex(random_bytes(16)); session_id($sessionId);