? index.html
? sess_regen_hardening_280934-5.patch
? sites/all/modules
? sites/default/files
? sites/default/settings.php
Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.932
diff -u -p -r1.932 user.module
--- modules/user/user.module 10 Nov 2008 05:23:01 -0000 1.932
+++ modules/user/user.module 11 Nov 2008 15:12:15 -0000
@@ -1375,8 +1375,11 @@ function user_authenticate_finalize(&$ed
// This is also used to invalidate one-time login links.
$user->login = REQUEST_TIME;
db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
- user_module_invoke('login', $edit, $user);
+ // Regenerate the session ID to prevent against session fixation attacks.
+ // This is called before hook_user in case one of those functions fails
+ // or incorrectoly does a redirect which would leave the old session in place.
drupal_session_regenerate();
+ user_module_invoke('login', $edit, $user);
}
/**