diff --git a/core/assets/scaffold/files/default.services.yml b/core/assets/scaffold/files/default.services.yml
index 45d986cd8e..9aa48df92d 100644
--- a/core/assets/scaffold/files/default.services.yml
+++ b/core/assets/scaffold/files/default.services.yml
@@ -36,6 +36,18 @@ parameters:
     # @default none
     # cookie_domain: '.example.com'
     #
+    # Specify the length of session ID string. Session ID length can be between
+    # 22 to 256. The PHP recommended value is 48. See
+    # https://www.php.net/manual/session.security.ini.php for more information.
+    # @default 48
+    sid_length: 48
+    #
+    # Specify the number of bits in encoded session ID character. The possible
+    # values are '4' (0-9, a-f), '5' (0-9, a-v), and '6' (0-9, a-z, A-Z, "-",
+    # ","). The PHP recommended value is 5. See
+    # https://www.php.net/manual/session.security.ini.php for more information.
+    # @default 6
+    sid_bits_per_character: 6
   twig.config:
     # Twig debugging:
     #
diff --git a/core/core.services.yml b/core/core.services.yml
index 2b2212a3da..f672ffab52 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -9,6 +9,8 @@ parameters:
     gc_divisor: 100
     gc_maxlifetime: 200000
     cookie_lifetime: 2000000
+    sid_length: 48
+    sid_bits_per_character: 6
   twig.config:
     debug: false
     auto_reload: null
diff --git a/core/lib/Drupal/Core/Session/SessionConfiguration.php b/core/lib/Drupal/Core/Session/SessionConfiguration.php
index bbdde7cb5d..cecc0a350f 100644
--- a/core/lib/Drupal/Core/Session/SessionConfiguration.php
+++ b/core/lib/Drupal/Core/Session/SessionConfiguration.php
@@ -22,9 +22,12 @@ class SessionConfiguration implements SessionConfigurationInterface {
    *
    * @see \Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage::__construct()
    * @see http://php.net/manual/session.configuration.php
+   * @see https://www.php.net/manual/session.security.ini.php
    */
   public function __construct($options = []) {
-    $this->options = $options;
+    // Provide sensible defaults for sid_length and sid_bits_per_character.
+    // See core/assets/scaffold/files/default.services.yml for more information.
+    $this->options = $options + ['sid_length' => 48, 'sid_bits_per_character' => 6];
   }
 
   /**
diff --git a/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php b/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
index 70847cb78b..e39913caff 100644
--- a/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
+++ b/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
@@ -246,4 +246,33 @@ public function providerTestEnforcedSessionName() {
     }, $data);
   }
 
+  /**
+   * Tests constructor's default settings.
+   *
+   * @covers ::__construct
+   *
+   * @dataProvider providerTestConstructorDefaultSettings
+   */
+  public function testConstructorDefaultSettings(array $options, int $expected_sid_length, int $expected_sid_bits_per_character) {
+    $config = $this->createSessionConfiguration($options);
+    $options = $config->getOptions(Request::createFromGlobals());
+    $this->assertSame($expected_sid_length, $options['sid_length']);
+    $this->assertSame($expected_sid_bits_per_character, $options['sid_bits_per_character']);
+  }
+
+  /**
+   * Data provider for the constructor test.
+   *
+   * @returns array
+   *   Test data
+   */
+  public function providerTestConstructorDefaultSettings() {
+    return [
+      [[], 48, 6],
+      [['sid_length' => 100], 100, 6],
+      [['sid_bits_per_character' => 5], 48, 5],
+      [['sid_length' => 100, 'sid_bits_per_character' => 5], 100, 5],
+    ];
+  }
+
 }
diff --git a/sites/default/default.services.yml b/sites/default/default.services.yml
index 45d986cd8e..9aa48df92d 100644
--- a/sites/default/default.services.yml
+++ b/sites/default/default.services.yml
@@ -36,6 +36,18 @@ parameters:
     # @default none
     # cookie_domain: '.example.com'
     #
+    # Specify the length of session ID string. Session ID length can be between
+    # 22 to 256. The PHP recommended value is 48. See
+    # https://www.php.net/manual/session.security.ini.php for more information.
+    # @default 48
+    sid_length: 48
+    #
+    # Specify the number of bits in encoded session ID character. The possible
+    # values are '4' (0-9, a-f), '5' (0-9, a-v), and '6' (0-9, a-z, A-Z, "-",
+    # ","). The PHP recommended value is 5. See
+    # https://www.php.net/manual/session.security.ini.php for more information.
+    # @default 6
+    sid_bits_per_character: 6
   twig.config:
     # Twig debugging:
     #