Index: no_anon.module
===================================================================
--- no_anon.module	(revision 5862)
+++ no_anon.module	(working copy)
@@ -1,17 +1,18 @@
 <?php
 // $Id: no_anon.module,v 1.1.2.1 2009/05/30 03:24:27 kbahey Exp $
 
-/*
- *  Implementation of hook_form_alter().
+/**
+ * Implementation of hook_footer
  */
-function no_anon_form_alter(&$form, $form_state, $form_id) {
-  switch ($form_id) {
-    case 'user_login':
-    case 'user_login_block':
-    case 'user_pass_reset':
-      if ($form_state['post']) {
-      // Someone's attempting to log in.  Let's allow session cookies.
-        ini_set('session.use_cookies', 1);
-      }
+function no_anon_footer($main = 0) {
+  // We call session_write_close() here when caching is enabled because otherwise it is called
+  // after page caching closes the output buffer, which means the cookie that
+  // we may be adding in sess_write() won't appear. 
+  //
+  // Note that this means we may miss adding a session cookie if there are modules that add
+  // session data in hook_footer() or hook_exit().
+    if (variable_get('cache', 0)) {
+    session_write_close();
   }
 }
+
Index: session-no-anon.inc
===================================================================
--- session-no-anon.inc	(revision 5862)
+++ session-no-anon.inc	(working copy)
@@ -24,7 +24,8 @@
 
   // Handle the case of first time visitors and clients that don't store cookies (eg. web crawlers).
   if (!isset($_COOKIE[session_name()])) {
-    // Modification for no_anon module: turn off session cookies
+    // Modification for no_anon module: turn off automatic creation of session cookies for users without an existing cookie.
+    // Instead we'll be creating the cookie as needed in sess_write()
     ini_set('session.use_cookies', 0);
     $user = drupal_anonymous_user();
     return '';
@@ -57,20 +58,32 @@
 
 function sess_write($key, $value) {
   global $user;
-
   // If saving of session data is disabled or if the client doesn't have a session,
   // and one isn't being created ($value), do nothing. This keeps crawlers out of
   // the session table. This reduces memory and server load, and gives more useful
   // statistics. We can't eliminate anonymous session table rows without breaking
   // the throttle module and the "Who's Online" block.
   //
-  // Modification for no_anon module: eliminate anonymous sessions.
+  // Modification for no_anon module: Do not bother saving empty anonymous session.
+  // Only save if logged in or if something is in $_SESSION.
   // Note that the throttle module, and the "Who's Online" block does not work.
-  if (!session_save_session() || $user->uid == 0) {
+  if (!session_save_session() || ($user->uid == 0 && empty($_SESSION))) {
+    // no_anon: We delete any existing session cookie because the session is empty for this user
+    session_delete_cookie();
     return TRUE;
   }
 
-  db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, isset($user->cache) ? $user->cache : '', ip_address(), $value, time(), $key);
+  // If we made it this far, then we have session data worth saving. Create the cookie if user doesn't have one.
+  if (!isset($_COOKIE[session_name()])) {
+    // read what params the session cookie would've had if we hadn't disabled its creation
+    $cookie_params = session_get_cookie_params();
+    // then create it ourselves
+    setcookie(session_name(), session_id(), time()+$cookie_params['lifetime'], $cookie_params['path'], $cookie_params['domain'], $cookie_params['secure']);
+  }
+
+  
+  // Now update the sessions table to actually save the data
+  db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, isset($user->cache) ? $user->cache : '', $_SERVER['REMOTE_ADDR'], $value, time(), $key);
   if (db_affected_rows()) {
     // Last access time is updated no more frequently than once every 180 seconds.
     // This reduces contention in the users table.
@@ -81,7 +94,7 @@
   else {
     // If this query fails, another parallel request probably got here first.
     // In that case, any session data generated in this request is discarded.
-    @db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, isset($user->cache) ? $user->cache : '', ip_address(), $value, time());
+    @db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, isset($user->cache) ? $user->cache : '', $_SERVER['REMOTE_ADDR'], $value, time());
   }
 
   return TRUE;
@@ -99,7 +112,7 @@
   // regardless of the Drupal configuration.
   // TODO: remove this when we require at least PHP 4.4.0
   if (isset($_COOKIE[session_name()])) {
-    setcookie(session_name(), '', time() - 42000, '/');
+    session_delete_cookie();
   }
 
   session_regenerate_id();
@@ -132,6 +145,12 @@
  */
 function sess_destroy_sid($sid) {
   db_query("DELETE FROM {sessions} WHERE sid = '%s'", $sid);
+
+  // no_anon: make sure to remove unneeded cookie on logout.
+  // First make sure the session we're deleting is the current one.
+  if($sid = session_id()) {
+    session_delete_cookie();
+  }
 }
 
 /**
@@ -174,3 +193,19 @@
   }
   return ($save_session);
 }
+
+/**
+ * Deletes session cookie for current user, if one exists
+ * 
+ * Works by looking at the parameters of the current cookie and recreating it with
+ * expiration in the past. Note that bad things can happen if you call session_delete_cookie()
+ * and then try to set the cookie later in the same request.
+ */
+function session_delete_cookie() {
+  if (isset($_COOKIE[session_name()])) {
+    // get params of current cookie
+    $cookie_params = session_get_cookie_params();
+    // and then re-set it with expiration time in the past
+    setcookie(session_name(), '', time() - 42000, $cookie_params['path'], $cookie_params['domain'], $cookie_params['secure']);
+  }
+}