Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.911
diff -u -p -r1.911 user.module
--- modules/user/user.module	27 Jun 2008 07:25:11 -0000	1.911
+++ modules/user/user.module	10 Jul 2008 16:27:00 -0000
@@ -1341,8 +1341,10 @@ function user_authenticate_finalize(&$ed
   // This is also used to invalidate one-time login links.
   $user->login = time();
   db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
-  user_module_invoke('login', $edit, $user);
+
+  // Regenerate the session ID to prevent against session fixation attacks.
   sess_regenerate();
+  user_module_invoke('login', $edit, $user);
 }
 
 /**