diff -u b/modules/simpletest/tests/session.test b/modules/simpletest/tests/session.test
--- b/modules/simpletest/tests/session.test
+++ b/modules/simpletest/tests/session.test
@@ -248,4 +248,66 @@
 
   /**
+   * Test hashing of session ids in the database.
+   */
+  function testHashedSessionIds() {
+    $user = $this->drupalCreateUser(array('access content'));
+    $this->drupalLogin($user);
+    $this->drupalGet('session-test/is-logged-in');
+    $this->assertResponse(200, 'User is logged in.');
+
+    $this->drupalGet('session-test/id');
+    $matches = array();
+    preg_match('/\s*session_id:(.*)\n/', $this->drupalGetContent(), $matches);
+    $this->assertTrue(!empty($matches[1]) , 'Found session ID after logging in.');
+    $session_id = $matches[1];
+
+    $this->drupalGet('session-test/id-from-cookie');
+    $matches = array();
+    preg_match('/\s*session_id:(.*)\n/', $this->drupalGetContent(), $matches);
+    $this->assertTrue(!empty($matches[1]) , 'Found session ID from cookie.');
+    $cookie_session_id = $matches[1];
+
+    $this->assertEqual($session_id, $cookie_session_id, 'Session id and cookie session id are the same.');
+
+    $sql = 'SELECT s.sid FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.uid = :uid';
+    $db_session = db_query($sql, array(':uid' => $user->uid))->fetchObject();
+
+    $this->assertNotEqual($db_session->sid, $cookie_session_id, 'Session id in the database is not the same as in the session cookie.');
+    $this->assertEqual($db_session->sid, drupal_hash_base64($cookie_session_id), 'Session id in the database is the cookie session id hashed.');
+  }
+
+  /**
+   * Test opt-out of hashing of session ids in the database.
+   */
+  function testHashedSessionIdsOptOut() {
+    variable_set('do_not_hash_session_ids', TRUE);
+
+    $user = $this->drupalCreateUser(array('access content'));
+    $this->drupalLogin($user);
+    $this->drupalGet('session-test/is-logged-in');
+    $this->assertResponse(200, 'User is logged in.');
+
+    $this->drupalGet('session-test/id');
+    $matches = array();
+    preg_match('/\s*session_id:(.*)\n/', $this->drupalGetContent(), $matches);
+    $this->assertTrue(!empty($matches[1]) , 'Found session ID after logging in.');
+    $session_id = $matches[1];
+
+    $this->drupalGet('session-test/id-from-cookie');
+    $matches = array();
+    preg_match('/\s*session_id:(.*)\n/', $this->drupalGetContent(), $matches);
+    $this->assertTrue(!empty($matches[1]) , 'Found session ID from cookie.');
+    $cookie_session_id = $matches[1];
+
+    $this->assertEqual($session_id, $cookie_session_id, 'Session id and cookie session id are the same.');
+
+    $sql = 'SELECT s.sid FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.uid = :uid';
+    $db_session = db_query($sql, array(':uid' => $user->uid))->fetchObject();
+
+    $this->assertEqual($db_session->sid, $cookie_session_id, 'Session id in the database is the same as in the session cookie.');
+    $this->assertNotEqual($db_session->sid, drupal_hash_base64($cookie_session_id), 'Session id in the database is not the cookie session id hashed.');
+  }
+
+  /**
    * Test absence of SameSite attribute on session cookies by default.
    */
diff -u b/modules/system/system.install b/modules/system/system.install
--- b/modules/system/system.install
+++ b/modules/system/system.install
@@ -3363,8 +3363,8 @@
   variable_del('block_interest_cohort');
 }
 
-/*
- * Update the schema and data of the sessions table.
+/**
+ * Prepare the schema and data of the sessions table for hashed session ids.
  */
 function system_update_7086() {
   // Update the session ID fields' description.