diff --git a/core/includes/form.inc b/core/includes/form.inc
index 05b6d29..868c1c1 100644
--- a/core/includes/form.inc
+++ b/core/includes/form.inc
@@ -513,7 +513,7 @@ function drupal_rebuild_form($form_id, &$form_state, $old_form = NULL) {
     $form['#build_id'] = $old_form['#build_id'];
   }
   else {
-    $form['#build_id'] = 'form-' . Crypt::hashBase64(uniqid(mt_rand(), TRUE) . mt_rand());
+    $form['#build_id'] = 'form-' . Crypt::randomStringHashed(55);
   }
 
   // #action defaults to request_uri(), but in case of Ajax and other partial
@@ -1049,7 +1049,7 @@ function drupal_prepare_form($form_id, &$form, &$form_state) {
   // @see drupal_build_form()
   // @see drupal_rebuild_form()
   if (!isset($form['#build_id'])) {
-    $form['#build_id'] = 'form-' . Crypt::hashBase64(uniqid(mt_rand(), TRUE) . mt_rand());
+    $form['#build_id'] = 'form-' . Crypt::randomStringHashed(55);
   }
   $form['form_build_id'] = array(
     '#type' => 'hidden',
diff --git a/core/includes/session.inc b/core/includes/session.inc
index 4cc8139..3291998 100644
--- a/core/includes/session.inc
+++ b/core/includes/session.inc
@@ -263,10 +263,10 @@ function drupal_session_initialize() {
     // Less random sessions (which are much faster to generate) are used for
     // anonymous users than are generated in drupal_session_regenerate() when
     // a user becomes authenticated.
-    session_id(Crypt::hashBase64(uniqid(mt_rand(), TRUE)));
+    session_id(Crypt::randomStringHashed(55));
     if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) {
       $insecure_session_name = substr(session_name(), 1);
-      $session_id = Crypt::hashBase64(uniqid(mt_rand(), TRUE));
+      $session_id = Crypt::randomStringHashed(55);
       $_COOKIE[$insecure_session_name] = $session_id;
     }
   }
@@ -363,7 +363,7 @@ function drupal_session_regenerate() {
       $old_insecure_session_id = $_COOKIE[$insecure_session_name];
     }
     $params = session_get_cookie_params();
-    $session_id = Crypt::hashBase64(uniqid(mt_rand(), TRUE) . Crypt::randomBytes(55));
+    $session_id = Crypt::randomStringHashed(55);
     // If a session cookie lifetime is set, the session will expire
     // $params['lifetime'] seconds from the current request. If it is not set,
     // it will expire when the browser is closed.
@@ -375,7 +375,7 @@ function drupal_session_regenerate() {
   if (drupal_session_started()) {
     $old_session_id = session_id();
   }
-  session_id(Crypt::hashBase64(uniqid(mt_rand(), TRUE) . Crypt::randomBytes(55)));
+  session_id(Crypt::randomStringHashed(55));
 
   if (isset($old_session_id)) {
     $params = session_get_cookie_params();
diff --git a/core/modules/system/lib/Drupal/system/Tests/Upgrade/UpgradePathTestBase.php b/core/modules/system/lib/Drupal/system/Tests/Upgrade/UpgradePathTestBase.php
index c8b4cd3..43023be 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Upgrade/UpgradePathTestBase.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Upgrade/UpgradePathTestBase.php
@@ -60,7 +60,7 @@ protected function prepareD8Session() {
 
     // Generate and set a D7-compatible session cookie.
     $this->curlInitialize();
-    $sid = Crypt::hashBase64(uniqid(mt_rand(), TRUE) . Crypt::randomBytes(55));
+    $sid = Crypt::randomStringHashed(55);
     $this->curlCookies[] = rawurlencode(session_name()) . '=' . rawurlencode($sid);
 
     // Force our way into the session of the child site.