Issue #5214 is not fixed in Joomla 3. I'm sure of that. You cannot find the equivalent of its patch in Joomla 3 "refactored" JSession code.

Sadly I still cannot reproduce, but happened randomly so many times to confirm me that something is wrong. I'm still investigating to check what really causes this, I think it's related to empty session_id (expired) but not only, sometimes also new sessions seems to get a new random cookie that sometimes collides with an existing active session (most times is a session of a guest, e.g. bots but there is a fair probability to get a logged user session - in a week 3 users reported to me this, on a base of 10 users, they just are very active on the site and we have a good level of guest traffic, it happened also to me one time) session table is full of logged users with the same session id and the UA of bots, so i think bots got some logged user sessions too

For now i tell you that i solved this severe issue rewriting the commented code to do the check IP and check UA for the session.php https://github.com/joomla-framework/session/blob/master/Session.php#L945-975 as you can see those lines are dead code,

why it was commented? fix_adress (a consistent typo) is never enabled, but in the comments it's told to be a default-ON check, see here:
https://github.com/joomla-framework/session/blob/master/Session.php#L58-64

that's dumb, not in your code-style, that's indicates that someone in the pre-github Joomla code history partially removed that code, disabling it, but i cannot find any issue related to this, this indicates that there is some latent issue, some so long-living pending TODO, in a so important class as session handling, you're doing amazing work on Joomla, please bring attention also to this basic lass or security issues will make anti-marketing again

maybe we should restore fix_adress and fix_browser checks and make them configurable in the global Joomla configuration, they are useful also for extra security preventing real attacks for who want bank level security (session stickness to IP and UA to avoid cookie stealing)

Instead to avoid this auto-random session hijacking issue, that is due to a bug and not any attack, this is of course not the clean solution,I'm still investigating to check what is causing the issue, maybe md5 collision, maybe something wrong. Anyway it deserves attention for sure, please start investigating on this also you and keep open the ticked until you cant tell that session.php is clear

Another question I have: are you sure that guest users (non-logged) need a session_id? this increases probability of such collisions, maybe if you really need to have a session also for each guest we can make another session_name for them, to treat them apart, but i suggest to remove the session for guests, also for performance reason, the #_session table gets too big so quickly in mediumly active sites,

causing performance issues and corruption too, joomla needs to be the BEST SOLUTION to project also high traffic websites don't you think?