diff --git a/ext/session/session.c b/ext/session/session.c
index aa9883ab1df33..32de7c36d7813 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -2383,6 +2383,10 @@ PHP_FUNCTION(session_create_id)
 	}
 
 	if (prefix && ZSTR_LEN(prefix)) {
+        if (ZSTR_LEN(prefix) > PS_MAX_SID_LENGTH) {
+            zend_argument_value_error(1, "cannot be longer than %d characters", PS_MAX_SID_LENGTH);
+            RETURN_THROWS();
+        }
 		if (php_session_valid_key(ZSTR_VAL(prefix)) == FAILURE) {
 			/* E_ERROR raised for security reason. */
 			php_error_docref(NULL, E_WARNING, "Prefix cannot contain special characters. Only the A-Z, a-z, 0-9, \"-\", and \",\" characters are allowed");
diff --git a/ext/session/tests/session_create_id_invalid_prefix.phpt b/ext/session/tests/session_create_id_invalid_prefix.phpt
index 0a4e2c2d40013..7de7e8061f689 100644
--- a/ext/session/tests/session_create_id_invalid_prefix.phpt
+++ b/ext/session/tests/session_create_id_invalid_prefix.phpt
@@ -12,8 +12,18 @@ session
 
 var_dump(session_create_id('_'));
 var_dump(session_create_id('%'));
-var_dump(session_create_id("AB\0CD"));
 
+try {
+    var_dump(session_create_id('ABTgdPs68S3M4HMaqKwj33TzqLMv5PHpWQxJbfpeogEhrJRY7o9f33pKLCmhf0tXCtoBkIu0yxXYCSHfJhPd2miPUW4MIpd91dnEiOwWDfaBnfdJZOwgvgmYLSfDGaebqmnCAoyuzlcq2j59nNRhccgJIkr9ytY3RwFTTXszpcjpx6mlJuG9GksKAhPsnnaEwSEb0eFyqvn80gYI2roKSjaFSmJxg0xgXuCF4csMo8DxiSvovho5QTKx5u7h8VyQL'));
+} catch (Throwable $e) {
+    echo $e::class . ': ' . $e->getMessage() . "\n";
+}
+
+try {
+    var_dump(session_create_id("AB\0CD"));
+} catch (Throwable $e) {
+    echo $e::class . ': ' . $e->getMessage() . "\n";
+}
 
 ?>
 Done
@@ -23,9 +33,6 @@ bool(false)
 
 Warning: session_create_id(): Prefix cannot contain special characters. Only the A-Z, a-z, 0-9, "-", and "," characters are allowed in %s on line %d
 bool(false)
-
-Fatal error: Uncaught ValueError: session_create_id(): Argument #1 ($prefix) must not contain any null bytes in %s:%d
-Stack trace:
-#0 %s(5): session_create_id('AB\x00CD')
-#1 {main}
-  thrown in %s
+ValueError: session_create_id(): Argument #1 ($prefix) cannot be longer than 256 characters
+ValueError: session_create_id(): Argument #1 ($prefix) must not contain any null bytes
+Done