? index.html
? sess_regen_hardening_280934-5.patch
? sites/all/modules
? sites/default/files
? sites/default/settings.php
Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.932
diff -u -p -r1.932 user.module
--- modules/user/user.module	10 Nov 2008 05:23:01 -0000	1.932
+++ modules/user/user.module	11 Nov 2008 15:12:15 -0000
@@ -1375,8 +1375,11 @@ function user_authenticate_finalize(&$ed
   // This is also used to invalidate one-time login links.
   $user->login = REQUEST_TIME;
   db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
-  user_module_invoke('login', $edit, $user);
+  // Regenerate the session ID to prevent against session fixation attacks.
+  // This is called before hook_user in case one of those functions fails
+  // or incorrectoly does a redirect which would leave the old session in place.
   drupal_session_regenerate();
+  user_module_invoke('login', $edit, $user);
 }
 
 /**