diff -u b/includes/session.inc b/includes/session.inc
--- b/includes/session.inc
+++ b/includes/session.inc
@@ -602,9 +602,20 @@
   return $save_session;
 }
 
-require_once DRUPAL_ROOT . '/includes/install.inc';
+/**
+ * Session ids are hashed by default before being stored in the database.
+ *
+ * This should only be done if any existing sessions have been updated, as
+ * reflected by the hash_session_ids variable.
+ *
+ * @param $id
+ *   A session id.
+ *
+ * @return
+ *   The session id which may have been hashed.
+ */
 function drupal_session_id($id) {
-  if (variable_get('hash_session_ids', TRUE) && drupal_get_installed_schema_version('system') >= 7086) {
+  if (variable_get('hash_session_ids', FALSE) && !variable_get('do_not_hash_session_ids', FALSE)) {
     $id = drupal_hash_base64($id);
   }
   return $id;
diff -u b/modules/simpletest/tests/session.test b/modules/simpletest/tests/session.test
--- b/modules/simpletest/tests/session.test
+++ b/modules/simpletest/tests/session.test
@@ -740,8 +740,8 @@
    */
   protected function assertSessionIds($sid, $ssid, $assertion_text) {
     $args = array(
-      ':sid' => drupal_hash_base64($sid),
-      ':ssid' => !empty($ssid) ? drupal_hash_base64($ssid) : '',
+      ':sid' => drupal_session_id($sid),
+      ':ssid' => !empty($ssid) ? drupal_session_id($ssid) : '',
     );
     return $this->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid AND ssid = :ssid', $args)->fetchField(), $assertion_text);
   }
diff -u b/modules/system/system.install b/modules/system/system.install
--- b/modules/system/system.install
+++ b/modules/system/system.install
@@ -671,6 +671,9 @@
   // Populate the cron key variable.
   $cron_key = drupal_random_key();
   variable_set('cron_key', $cron_key);
+
+  // This variable indicates that the database is ready for hashed session ids.
+  variable_set('hash_session_ids', TRUE);
 }
 
 /**
@@ -3385,7 +3388,7 @@
   db_change_field('sessions', 'ssid', 'ssid', $spec, array('primary key' => array('sid', 'ssid')));
 
   // Update all existing sessions.
-  if (variable_get('hash_session_ids', TRUE)) {
+  if (!variable_get('do_not_hash_session_ids', FALSE)) {
     $sessions = db_query('SELECT sid, ssid FROM {sessions}');
     while ($session = $sessions->fetchAssoc()) {
       $query = db_update('sessions');
@@ -3403,6 +3406,9 @@
         ->execute();
     }
   }
+
+  // This variable indicates that the database is ready for hashed session ids.
+  variable_set('hash_session_ids', TRUE);
 }
 
 /**
only in patch2:
unchanged:
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -854,3 +854,11 @@ $conf['mail_display_name_site_name'] = TRUE;
  * @see https://www.php.net/manual/function.phpinfo.php
  */
 # $conf['sa_core_2023_004_phpinfo_flags'] = ~(INFO_VARIABLES | INFO_ENVIRONMENT);
+
+/**
+ * Session ids are hashed by default before being stored in the database. This
+ * reduces the risk of sessions being hijacked if the database is compromised.
+ *
+ * This variable allows opting out of this security improvement.
+ */
+# $conf['do_not_hash_session_ids'] = TRUE;