PHP security + session_id()

[jamkelvl]

Aside from regenerating session_id() all the time;

 

Would it be a good idea to scramble session_id() with something like sha1?

 

I've heard if a maliscious attacker gets a users session_id() then they have the key to the 'vault' (database).  In my case I've tried writing something where they'll need a little more than just the session_id().  The session_id() is constantly changing and there are a few more required 'keys' to exploiting this app.

 

Any input is greatly appreciated, whether or not it is to do with sessions or just php security in general.