session

Session state = cryptographic hash of Client ID, origin URL, and OP User Agent state

sid = is public identifier of session_id

because we don’t want to expose session_id except very explicit cases, instead we should use sid, e.g. explicit passing in logout uri or claim in id_token