src/hg/lib/botDelay.c 279166ca6fde058a85d9889501a1509499251d16

279166ca6fde058a85d9889501a1509499251d16
jcasper
  Wed May 20 11:40:23 2026 -0700
Cleaning up an earlyBotCheck persistent SQL connection that snuck in, and
ensuring that sqlCleanupAll doesn't crash.  Some CGIs set up carefulMemHandler after earlyBotCheck,
so the connection list is a mix of two memory allocation setups.  Instead of trying to
manually free that memory at exit, sqlCleanupAll can let the system handle it.  refs #37494

diff --git src/hg/lib/botDelay.c src/hg/lib/botDelay.c
index c4c5ff2ffa6..b5ed5044f7d 100644
--- src/hg/lib/botDelay.c
+++ src/hg/lib/botDelay.c
@@ -122,36 +122,46 @@
 
 if (centralCookie)
     user = findCookieData(centralCookie);
 
 return user;
 }
 
 boolean isValidHguid(char *cookieUserId)
 /* Check if a particular hguid is valid, i.e. well-formatted, has matching id and secure string,
  * and isn't corrupted. */
 {
 if (isEmpty(cookieUserId))
     return FALSE;
 boolean isValid = FALSE;
 struct sqlConnection *conn = hConnectCentralNoCache();
-struct cartDb *cdb = cartDbLoadFromId(conn, userDbTable(), cookieUserId);
-if (cdb)
+char query[2048];
+if (cartDbHasSessionKey(conn, userDbTable()))
     {
-    isValid = TRUE;
-    cartDbFree(&cdb);
+    char *sessionKey = NULL;
+    unsigned id = cartDbParseId(cookieUserId, &sessionKey);
+    if (sessionKey == NULL)
+        return FALSE;
+    sqlSafef(query, sizeof(query), "select id from %s where id = %u and sessionKey = '%s'",
+            userDbTable(), id, sessionKey);
+    }
+else
+    {
+    sqlSafef(query, sizeof(query), "select id from %s where id = %u", userDbTable(), sqlUnsigned(cookieUserId));
     }
+if (sqlExists(conn, query))
+    isValid = TRUE;
 sqlDisconnect(&conn);
 return isValid;
 }
 
 static void recordHguidIpAndMaybeForceCaptcha()
 /* When hguidIpTracking is enabled in hg.conf, upsert this request's
  * (hguid, REMOTE_ADDR) into the hgcentral tracking table.  If a single
  * hguid has been seen from more than hguidIpTracking.maxIps distinct IPs
  * within the last hguidIpTracking.windowSeconds, set the "captcha" CGI
  * var so forceUserIdOrCaptcha() in cart.c forces the user through the
  * Cloudflare captcha (the bypass at cart.c:1618 honors this override). */
 {
 if (!cfgOptionBooleanDefault("hguidIpTracking.enabled", FALSE))
     return;