summaryrefslogtreecommitdiff
path: root/modules/user
diff options
context:
space:
mode:
Diffstat (limited to 'modules/user')
-rw-r--r--modules/user/user.module5
1 files changed, 4 insertions, 1 deletions
diff --git a/modules/user/user.module b/modules/user/user.module
index 6e8b83a80..cdb912d92 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1361,8 +1361,11 @@ function user_authenticate_finalize(&$edit) {
// This is also used to invalidate one-time login links.
$user->login = REQUEST_TIME;
db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
- user_module_invoke('login', $edit, $user);
+ // Regenerate the session ID to prevent against session fixation attacks.
+ // This is called before hook_user in case one of those functions fails
+ // or incorrectly does a redirect which would leave the old session in place.
drupal_session_regenerate();
+ user_module_invoke('login', $edit, $user);
}
/**
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-21 19:53:40 +0000