? modules/simpletest/variable-profile-279455-1.patch
Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.911
diff -u -p -r1.911 user.module
--- modules/user/user.module	27 Jun 2008 07:25:11 -0000	1.911
+++ modules/user/user.module	11 Jul 2008 13:03:20 -0000
@@ -1341,8 +1341,12 @@ function user_authenticate_finalize(&$ed
   // This is also used to invalidate one-time login links.
   $user->login = time();
   db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
-  user_module_invoke('login', $edit, $user);
+
+  // Regenerate the session ID to prevent against session fixation attacks.
+  // This is called before hook_user in case one of those functions fails
+  // or incorrectoly does a redirect which would leave the old session in place.
   sess_regenerate();
+  user_module_invoke('login', $edit, $user);
 }
 
 /**