Is Setting A $_SESSION Value That Is The Same As A GET Parameter A Security Risk - PHP? ← (PHP)

one text

I've seen a PHP security tutorial where it says never to accept $_SESSION identifiers from GET or POST variables due to session hijacking and fixation. It annoyingly doesn't go into any real detail on this though.

In an application I'm building I have a $_SESSION value that is the $username variable that is set when a user logs in. This value is taken from the database, but is later used in GET requests via URL parameters:

$_SESSION['username'] = $username;

Note: The $username and all other data is sanitized going into the database and escaped when being fetched from the database.

Is the above session name a real no-no? And if this is indeed bad practice should I be using the user id from the database or similar information that is never publicly displayed (e.g. in a url parameter)?

Using the $username variable is handy because I use it in url parameters as well via the $_SESSION value, an example of which is below:

<a href='<?php echo "profile.php?username={$_SESSION['username']}"; ?>'>My Profile</a>

When a user logs in the actual session id is regenerated with session_regenerate_id(true); so the id of each session changes each time the user is authenticated.

Any advice would be greatly appreciated.