Drupal 5 version

No. I don't plan to do that at all.

If someone wants to create a D5 version, and test it and submit a working patch, then I will consider creating a D5 version.

I've created a quick, straightforward Drupal 5 version.

It appears to be working, but I haven't tested it extensively since it conflicts with some of our other modules that make use of $_SESSION for anon users.

If someone tests this on D5 and verifies that it works, I will create a D5 release from it.

Ok, I've gone a bit farther with this and ended up rewriting the way the module works for my Drupal 5 version.

With the attached patch, a cookie & session record *is* created for anonymous users if and only if there is something actually saved in their $_SESSION. (I'm pretty sure this is what Drupal 7 does now too, btw.) This should make no_anon compatible with many more modules that do funny things with logins and/or require store session data for some anon users. I think some of the Captcha modules do this, for example.

One other bonus of creating the session cookie ourselves in sess_write(), is we no longer need the form_alter() special cases for login pages. I did, however, have to add a bit of a hack as a hook_footer() to make sure the session is closed and the cookie is created before the page caching closes the output buffer. This is the one downside I can see in my approach: if you've got a module somewhere that is updating $_SESSION data in a hook_footer() or hook_exit(), it might not get saved if page cache is enabled. I have some ideas for how to mitigate this somewhat, but I somehow doubt it comes up very often.

I've also added code to delete the cookie when a session is no longer needed (i.e. because the session expired in the database) or is destroyed (i.e on logout).

Up to you what you want to do with this. Maybe it becomes version 2.0? I'd be glad to help port these changes back up to your Drupal 6 version. It shouldn't be too hard -- D5's session.inc and D6's are very similar.

Cheers,
Eli