diff -u b/core/includes/session.inc b/core/includes/session.inc
--- b/core/includes/session.inc
+++ b/core/includes/session.inc
@@ -387,13 +387,13 @@
     $params = session_get_cookie_params();
     $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
     setcookie(session_name(), session_id(), $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
-    $fields = array('sid' => session_id());
+    $fields = array('sid' => Crypt::hashBase64(session_id()));
     if ($is_https) {
-      $fields['ssid'] = session_id();
+      $fields['ssid'] = Crypt::hashBase64(session_id());
       // If the "secure pages" setting is enabled, use the newly-created
       // insecure session identifier as the regenerated sid.
       if (settings()->get('mixed_mode_sessions', FALSE)) {
-        $fields['sid'] = $session_id;
+        $fields['sid'] = Crypt::hashBase64($session_id);
       }
     }
     db_update('sessions')
only in patch2:
unchanged:
--- a/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php
@@ -9,6 +9,7 @@
 
 use Drupal\simpletest\WebTestBase;
 use Symfony\Component\HttpFoundation\Request;
+use Drupal\Component\Utility\Crypt;
 
 /**
  * Ensure that when running under HTTPS two session cookies are generated.
@@ -229,8 +230,8 @@ protected function testHttpsSession() {
    */
   protected function assertSessionIds($sid, $ssid, $assertion_text) {
     $args = array(
-      ':sid' => $sid,
-      ':ssid' => $ssid,
+      ':sid' => Crypt::hashBase64($sid),
+      ':ssid' => Crypt::hashBase64($ssid),
     );
     return $this->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid AND ssid = :ssid', $args)->fetchField(), $assertion_text);
   }
only in patch2:
unchanged:
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -1048,13 +1048,13 @@ function system_schema() {
         'not null' => TRUE,
       ),
       'sid' => array(
-        'description' => "A session ID. The value is generated by Drupal's session handlers.",
+        'description' => "A session ID (hashed). The value is generated by Drupal's session handlers.",
         'type' => 'varchar',
         'length' => 128,
         'not null' => TRUE,
       ),
       'ssid' => array(
-        'description' => "Secure session ID. The value is generated by Drupal's session handlers.",
+        'description' => "Secure session ID (hashed). The value is generated by Drupal's session handlers.",
         'type' => 'varchar',
         'length' => 128,
         'not null' => TRUE,