From 96dc47665ef84588874200aec2a5a61e4b93e19f Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Mon, 24 Nov 2008 06:12:46 +0000
Subject: - Patch #280934 by pwolanin, swentel, et al: harden session
 regeneration.  It took a while, but it comes with tests and extra features
 now.

---
 modules/user/user.module | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'modules/user/user.module')

diff --git a/modules/user/user.module b/modules/user/user.module
index 6e8b83a80..cdb912d92 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1361,8 +1361,11 @@ function user_authenticate_finalize(&$edit) {
   // This is also used to invalidate one-time login links.
   $user->login = REQUEST_TIME;
   db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
-  user_module_invoke('login', $edit, $user);
+  // Regenerate the session ID to prevent against session fixation attacks.
+  // This is called before hook_user in case one of those functions fails
+  // or incorrectly does a redirect which would leave the old session in place.
   drupal_session_regenerate();
+  user_module_invoke('login', $edit, $user);
 }
 
 /**
-- 
cgit v1.2.3