f04a16bbb43853853b66f95e841eba47476424ea
lrnassar
  Wed Jul 16 15:22:34 2025 -0700
Make hgLogin excempt from the captcha, refs #36089

diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index f6c469df558..bd3a718ac48 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -1549,32 +1549,33 @@
 captchaCheckDone = TRUE;
 
 if (fromCommandLine || isEmpty(cfgOption(CLOUDFLARESITEKEY)))
     return;
 
 // no captcha for our own QA scripts running on a server with our IP address
 if (botException())
     return;
 
 // certain user agents are allowed to use the website without a captcha
 if (isUserAgentException())
     return;
 
 // hgRenderTracks should not show the captcha - it was made to be used from other websites
 // For hgSession, we redirect from euro and asia to the RR - avoid showing the captcha there
+// hgLogin is the redirect target for hgSession, so avoid it there as well
 char *cgi = cgiScriptName();
-if ( sameWord(cgi, "/cgi-bin/hgRenderTracks") || sameWord(cgi, "/cgi-bin/hgSession") )
+if ( sameWord(cgi, "/cgi-bin/hgRenderTracks") || sameWord(cgi, "/cgi-bin/hgSession") || sameWord(cgi, "/cgi-bin/hgLogin") )
     return;
 
 // Do not show a captcha if we have a valid cookie 
 // but for debugging, it's nice to be able to force the captcha
 if (userId && userIdFound && !cgiOptionalString("captcha"))
     return;
 
 // when the captcha is solved, our JS code does a full page-reload, no AJAX. That saves us one round-trip.
 // After the reload, the new page URL has the captcha token in the URL argument list, so now we need to validate it
 // and remove it from the cart
 char *token = cgiOptionalString("token");
 if (token)
 { 
     if (isValidToken(token))
         {