Index: user.module
===================================================================
--- user.module	(revision 44)
+++ user.module	(working copy)
@@ -966,10 +966,6 @@
 
     user_module_invoke('login', $form_values, $user);
 
-    $old_session_id = session_id();
-    session_regenerate_id();
-    db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);
-
     // Create a timestamped final URL so that browsers don't return the user to
     // a cached page (where it would appear as if they never logged in or out).
     return array($_REQUEST['destination'], 'time='. time());
@@ -981,6 +977,9 @@
 
   // Try to log in the user locally. Don't set $user unless successful.
   if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) {
+    $old_session_id = session_id();
+    session_regenerate_id();
+    db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);
     $user = $account;
   }
 
