4baad074794d51613f63e200e56f355c5a8448d9
max
  Wed Jul 16 00:03:16 2025 -0700
skip captcha on hgSession, refs #36089

diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index 7c7b106b887..f6c469df558 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -1548,31 +1548,33 @@
 
 captchaCheckDone = TRUE;
 
 if (fromCommandLine || isEmpty(cfgOption(CLOUDFLARESITEKEY)))
     return;
 
 // no captcha for our own QA scripts running on a server with our IP address
 if (botException())
     return;
 
 // certain user agents are allowed to use the website without a captcha
 if (isUserAgentException())
     return;
 
 // hgRenderTracks should not show the captcha - it was made to be used from other websites
-if (sameWord(cgiScriptName(), "/cgi-bin/hgRenderTracks"))
+// For hgSession, we redirect from euro and asia to the RR - avoid showing the captcha there
+char *cgi = cgiScriptName();
+if ( sameWord(cgi, "/cgi-bin/hgRenderTracks") || sameWord(cgi, "/cgi-bin/hgSession") )
     return;
 
 // Do not show a captcha if we have a valid cookie 
 // but for debugging, it's nice to be able to force the captcha
 if (userId && userIdFound && !cgiOptionalString("captcha"))
     return;
 
 // when the captcha is solved, our JS code does a full page-reload, no AJAX. That saves us one round-trip.
 // After the reload, the new page URL has the captcha token in the URL argument list, so now we need to validate it
 // and remove it from the cart
 char *token = cgiOptionalString("token");
 if (token)
 { 
     if (isValidToken(token))
         {