diff --git a/core/includes/session.inc b/core/includes/session.inc
index fa46972..008b6d9 100644
--- a/core/includes/session.inc
+++ b/core/includes/session.inc
@@ -94,17 +94,17 @@ function _drupal_session_read($sid) {
   // a HTTPS session or we are about to log in so we check the sessions table
   // for an anonymous session with the non-HTTPS-only cookie.
   if (\Drupal::request()->isSecure()) {
-    $values = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => $sid))->fetchAssoc();
+    $values = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => Crypt::hashBase64($sid)))->fetchAssoc();
     if (!$values) {
       if ($cookies->has($insecure_session_name)) {
         $values = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid AND s.uid = 0", array(
-        ':sid' => $cookies->get($insecure_session_name)))
+        ':sid' => Crypt::hashBase64($cookies->get($insecure_session_name))))
         ->fetchAssoc();
       }
     }
   }
   else {
-    $values = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid", array(':sid' => $sid))->fetchAssoc();
+    $values = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid", array(':sid' => Crypt::hashBase64($sid)))->fetchAssoc();
   }
 
   // We found the client's session record and they are an authenticated,
@@ -185,10 +185,10 @@ function _drupal_session_write($sid, $value) {
       // Use the session ID as 'sid' and an empty string as 'ssid' by default.
       // _drupal_session_read() does not allow empty strings so that's a safe
       // default.
-      $key = array('sid' => $sid, 'ssid' => '');
+      $key = array('sid' => Crypt::hashBase64($sid), 'ssid' => '');
       // On HTTPS connections, use the session ID as both 'sid' and 'ssid'.
       if (\Drupal::request()->isSecure()) {
-        $key['ssid'] = $sid;
+        $key['ssid'] = Crypt::hashBase64($sid);
         $cookies = \Drupal::request()->cookies;
         // The "secure pages" setting allows a site to simultaneously use both
         // secure and insecure session cookies. If enabled and both cookies are
@@ -196,7 +196,7 @@ function _drupal_session_write($sid, $value) {
         if (settings()->get('mixed_mode_sessions', FALSE)) {
           $insecure_session_name = substr(session_name(), 1);
           if ($cookies->has($insecure_session_name)) {
-            $key['sid'] = $cookies->get($insecure_session_name);
+            $key['sid'] = Crypt::hashBase64($cookies->get($insecure_session_name));
           }
         }
       }
@@ -395,7 +395,7 @@ function drupal_session_regenerate() {
     }
     db_update('sessions')
       ->fields($fields)
-      ->condition($is_https ? 'ssid' : 'sid', $old_session_id)
+      ->condition($is_https ? 'ssid' : 'sid', Crypt::hashBase64($old_session_id))
       ->execute();
   }
   elseif (isset($old_insecure_session_id)) {
@@ -403,8 +403,8 @@ function drupal_session_regenerate() {
     // secure site but a session was active on the insecure site, update the
     // insecure session with the new session identifiers.
     db_update('sessions')
-      ->fields(array('sid' => $session_id, 'ssid' => session_id()))
-      ->condition('sid', $old_insecure_session_id)
+      ->fields(array('sid' => Crypt::hashBase64($session_id), 'ssid' => Crypt::hashBase64(session_id())))
+      ->condition('sid', Crypt::hashBase64($old_insecure_session_id))
       ->execute();
   }
   else {