I am in the process of trying to get our custom code out of core.
In this function I capture the old session ID to update a project the user may have been working on while not logged in.
function user_authenticate_finalize(&$edit) {
global $user;
watchdog('user', 'Session opened for %name.', array('%name' => $user->name));
// Update the user table timestamp noting user has logged in.
// This is also used to invalidate one-time login links.
$user->login = time();
db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
$old_session_id = session_id(); //THIS LINE NEEDS TO BE MOVED
// Regenerate the session ID to prevent against session fixation attacks.
sess_regenerate();
tf_user_new_session_id($user, $old_session_id); //THIS LINE NEEDS TO BE MOVED
user_module_invoke('login', $edit, $user);
}
The lines right before and right after sess_regenerate();
function tf_user_user($op, &$edit, &$account, $category = NULL)
{
$current_session = session_id();
if ('login' == $op)
{
setcookie('session_id_anonymous', $current_session, time() + 86400);
}
if ('load' == $op)
{
if (isset($_COOKIE['session_id_anonymous']) && $_COOKIE['session_id_anonymous'] != $current_session)
{
tf_user_new_session_id($account->uid, $_COOKIE['session_id_anonymous'], $current_session);
setcookie('session_id_anonymous', $current_session, time() - 3600);
}
}
//more code
}