Registrations without email verification doesn't call hook_user('login')

When the user setting "Require e-mail verification when a visitor creates an account" is not enabled the user is logged in without calling hook_user('login'). This is a problem for E-Commerce when it is trying to move the cart from the anonymous user to the newly created user, and thus the cart is lost.

Does not apply.

Actually this was for 5.1, but here is a version for 6-dev

Bump, I need to get this into HEAD so that it can be backported to Drupal 5.x

This is giving me headaches for Drupal 5.x E-Commerce users

This is a problem with Drupal 5. A very serious problem at that. Why has this not been dealt with?

After speaking with Killes I was informed that I needed to get this into 6.x-dev first and then he would include it in 5.x-dev.

I know this is a big problem in 5.1, but I need to get this into 6.x first, and then it can fix our problem.

This looks OK, but can you sprinkle that code with some code comments? Thanks.

Here is an update to the patch for HEAD.

I think this points at a more general problem: hook_user('login') isn’t called consistently and neither are the other tasks associated with a successful login.

All of the appropriate tasks occur in user_login_submit() which is called when a user completes the user login form:

• making a note in watchdog
• updating user's login timestamp
• firing hook_user('login)
• and generating new session ID

But not all of those tasks are completed in the other places that users are logged in: user_pass_reset() (one time password), user_register_submit() (register and login immediately), blogapi_validate_user(), drupal_login().

Those login tasks should be called the same place where the actual login occurs; namely where the user is loaded into global $user in user_authenticate()

I’ve attached a patch that consolidates those tasks into one place.

Not generating a new session ID when logging in is a security issue. Isn’t it? :-s

I'd rather go with a much simpler change than the patch in #11 for 5.x.

Yes my patch just fixes the missing call, which is much better, esp for 5.2

I’ve moved the patch in #11 to “User login/authentication tasks not performed consistently” so we can get Gordon’s issue into 5.x quicker. :-)

I’ve looked closely at Gordon’s patch in #10 and it is RTBC.

So it looks that this patch is against 5.x and the 6.x stuff which needed more fixes is moved into another patch.

#10's patch does not apply in 5.x.

#2 is for 5.x and #10 is for HEAD

Neither does #2.

I have rerolled that patch and should be working now.

Committed to 5.x.

This needs to be ported to 6.x, see if #10 commits

Gordon, I’m already working on getting it fixed in 6.x. The patch in http://drupal.org/node/152497 includes your fix as well as the more general problem I described in #11 above.