If a session ID can be guessed (not generated with a secure pseudo random generator, or with insufficient length ...) an attacker may be able to hijack another user's session.
There is a risk if you answered yes to any of those questions.
Don't manually generate session IDs, use instead language based native functionality.
session_id(bin2hex(random_bytes(4))); // Sensitive: 4 bytes is too short session_id($_POST["session_id"]); // Sensitive: session ID can be specified by the user
session_regenerate_id(); ; // Compliant session_id(bin2hex(random_bytes(16))); // Compliant