These questions are related: one and two, the former says it's used to prevent name conflict between apps in the same domain. The latter says it can be used for anti-session hijacking.
While the former appears to be the real purpose of session_name(), I am not sure about the latter. Does it really protect against session hijacking? I think it can confuse the attacker in finding out cookie names instead of the default PHPSESSID but is that all?
What's the real purpose of session_name() ?
Does it really protect against session hijacking?
No. It is trivial for an attacker to visit your site and see what session name you are using instead of the default (simply by viewing the headers), so this function doesn't really provide any session hijacking protection. Its purpose is to allow you to change the default PHPSESSID to something else, or avoid collisions between apps on the same domain.
It's happens to me to have two (or more) different applications on the same domain.
Allow different sessions coexist on the same domain is the real scope of session_name(), IMHO.