diff --git a/core/lib/Drupal/Core/Session/SessionConfiguration.php b/core/lib/Drupal/Core/Session/SessionConfiguration.php
index bbdde7cb5d..f59913ee46 100644
--- a/core/lib/Drupal/Core/Session/SessionConfiguration.php
+++ b/core/lib/Drupal/Core/Session/SessionConfiguration.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\Core\Session;
 
+use Drupal\Core\Site\Settings;
 use Symfony\Component\HttpFoundation\Request;
 
 /**
@@ -91,9 +92,12 @@ protected function getUnprefixedName(Request $request) {
       $session_name = $this->options['cookie_domain'];
     }
     else {
-      // Otherwise use $base_url as session name, without the protocol
-      // to use the same session identifiers across HTTP and HTTPS.
-      $session_name = $request->getHost() . $request->getBasePath();
+      // Otherwise use base URL as session name, without the protocol
+      // to use the same session identifiers across HTTP and HTTPS. Hash salt
+      // is required to clearly distinguish between different website code
+      // bases for example Drupal 7 to Drupal 8 upgrade with the same host and
+      // base path.
+      $session_name = $request->getHost() . $request->getBasePath() . Settings::getHashSalt();
       // Replace "core" out of session_name so core scripts redirect properly,
       // specifically install.php.
       $session_name = preg_replace('#/core$#', '', $session_name);
diff --git a/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php b/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
index 38ee14fbd5..8920375470 100644
--- a/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
+++ b/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\Tests\Core\Session;
 
+use Drupal\Core\Site\Settings;
 use Drupal\Tests\UnitTestCase;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -11,6 +12,17 @@
  */
 class SessionConfigurationTest extends UnitTestCase {
 
+  const HASH_SALT = 'HH0jcYIHipVSCMFtnC6Aa9JZqd8yfnahpCgxZEEerG8';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    new Settings([
+      'hash_salt' => self::HASH_SALT,
+    ]);
+  }
+
   /**
    * Constructs a partially mocked SUT.
    *
@@ -190,9 +202,9 @@ public function providerTestGeneratedSessionName() {
       ['https://[::1]:8443/path/index.php', 'SSESS', '[::1]'],
     ];
 
-    return array_map(function ($record) {
-      return [$record[0], $record[1] . substr(hash('sha256', $record[2]), 0, 32)];
-    }, $data);
+    return array_walk($data, function (&$record, $index, $hash) {
+      $record[1] = $record[1] . substr(hash('sha256', $record[2] . $hash), 0, 32);
+    }, self::HASH_SALT);
   }
 
   /**