- Patch #280934 by pwolanin, swentel, et al: harden session regeneration. It took a while, but it comes with tests and extra features now.

1 files changed, 4 insertions, 1 deletions

diff --git a/modules/user/user.module b/modules/user/user.module
index 6e8b83a80..cdb912d92 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1361,8 +1361,11 @@ function user_authenticate_finalize(&$edit) {
   // This is also used to invalidate one-time login links.
   $user->login = REQUEST_TIME;
   db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
-  user_module_invoke('login', $edit, $user);
+  // Regenerate the session ID to prevent against session fixation attacks.
+  // This is called before hook_user in case one of those functions fails
+  // or incorrectly does a redirect which would leave the old session in place.
   drupal_session_regenerate();
+  user_module_invoke('login', $edit, $user);
 }
 
 /**