To clarify, the issue I wrote about isn't related to $_SESSION, it's modules that store data in a separate table with session id as the key (as e-commerce does). It seems this may be a flawed data model unless there is some means for modules to respond to regenerated session ids.
Did you already try: function mymodule_form_alter($form_id, &$form) { if ($form_id == 'user_login' || $form_id == 'user_login_block') { $form['submit'] = array('mymodule_pre_submit' => array()); $form['submit']['mymodule_post_submit'] = array(); } } function mymodule_pre_submit($form_id, $form_values, $return) { static $backup = array(); if ($return) { return $backup; } // Backup session data here $backup = ... // Invoke user login (hook_user) user_login_submit(...); } function mymodule_post_submit($form_id, $form_values) { // Reset session data $restored = mymodule_pre_submit(NULL, NULL, TRUE); } ? Just an idea. But yes, dealing with hook_user() forms is quite a mess...