2f8bf52537b9b144e7866b0325f8fd3f03441594
max
  Wed May 21 13:55:38 2025 -0700
tying down the bots a little more, no redmine

diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index 8c629cc249a..010c27d83d6 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -1470,34 +1470,34 @@
 struct sqlConnection *conn = cartDefaultConnector();
 char *ex;
 boolean userIdFound = FALSE, sessionIdFound = FALSE;
 
 AllocVar(cart);
 cart->hash = newHash(12);
 cart->exclude = newHash(7);
 cart->userId = userId;
 cart->sessionId = sessionId;
 cart->userInfo = loadDb(conn, userDbTable(), userId, &userIdFound);
 cart->sessionInfo = loadDb(conn, sessionDbTable(), sessionId, &sessionIdFound);
 
 if (sessionIdFound && !userIdFound && !cgiWasSpoofed() && cfgOptionBooleanDefault("noCookieTrace", FALSE))
     fprintf(stderr, "HGSID_WITHOUT_COOKIE\n");
 
-if (sessionId && !sessionIdFound && (!userId || !userIdFound) && cfgOptionBooleanDefault("punishInvalidHgsid", FALSE))
+if (((sessionId && !sessionIdFound) || !sessionId) && (!userId || !userIdFound) && cfgOptionBooleanDefault("punishInvalidHgsid", FALSE))
     {
-    fprintf(stderr, "HGSID_WAIT hgsid but no cookies: 10 seconds penalty");
-    sleep(10);
+    fprintf(stderr, "HGSID_WAIT invalid sessionId and invalid cookie: 6 seconds penalty");
+    sleep(6);
     }
 
 
 if (sessionIdFound)
     cartParseOverHash(cart, cart->sessionInfo->contents);
 else if (userIdFound)
     cartParseOverHash(cart, cart->userInfo->contents);
 else
     {
     char *defaultCartContents = getDefaultCart(conn);
     cartParseOverHash(cart, defaultCartContents);
     }
 char when[1024];
 safef(when, sizeof(when), "open %s %s", userId, sessionId);
 cartTrace(cart, when, conn);