? modules/simpletest/tests/mail.test
Index: includes/session.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/session.inc,v
retrieving revision 1.63
diff -u -p -r1.63 session.inc
--- includes/session.inc	11 Nov 2008 16:49:37 -0000	1.63
+++ includes/session.inc	17 Nov 2008 02:03:11 -0000
@@ -163,6 +163,9 @@ function _sess_write($key, $value) {
  */
 function drupal_session_regenerate() {
   $old_session_id = session_id();
+  extract(session_get_cookie_params());
+  // Set "httponly" to TRUE to reduce risk of session stealing via XSS.
+  session_set_cookie_params($lifetime, $path, $domain, $secure, TRUE); 
   session_regenerate_id();
   db_update('sessions')
     ->fields(array(
Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.934
diff -u -p -r1.934 user.module
--- modules/user/user.module	15 Nov 2008 11:45:04 -0000	1.934
+++ modules/user/user.module	17 Nov 2008 02:03:12 -0000
@@ -1373,8 +1373,11 @@ function user_authenticate_finalize(&$ed
   // This is also used to invalidate one-time login links.
   $user->login = REQUEST_TIME;
   db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
-  user_module_invoke('login', $edit, $user);
+  // Regenerate the session ID to prevent against session fixation attacks.
+  // This is called before hook_user in case one of those functions fails
+  // or incorrectoly does a redirect which would leave the old session in place.
   drupal_session_regenerate();
+  user_module_invoke('login', $edit, $user);
 }
 
 /**