325cbfe133124a17017edda28f0789217e86c61f
max
  Wed Jun 10 06:17:25 2026 -0700
just a few comments

diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index dfefd94fd91..813b1b50043 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -1548,31 +1548,31 @@
     exit(0);
 }
 
 static boolean isUserAgentException()
 /* return true if HTTP user-agent is in list of exceptions in hg.conf */
 {
 return botExceptionUserAgent();
 }
 
 void forceUserIdOrCaptcha(struct cart* cart, char *userId, boolean userIdFound, boolean fromCommandLine)
 /* print captcha if user did not sent a valid hguid cookie or a valid
  * cloudflare token. Allow certain IPs and user-agents. */
 {
 static boolean captchaCheckDone = FALSE;
 
-// No need to do this again. Can happen if cartNew() is called somewhere else in a CGI
+// No need to do this again in a CGI run. Can happen if cartNew() is called somewhere else in a CGI a second time
 if (captchaCheckDone)
     return;
 
 captchaCheckDone = TRUE;
 
 if (fromCommandLine || isEmpty(cfgOption(CLOUDFLARESITEKEY)))
     return;
 
 // no captcha for our own QA scripts running on a server with our IP address
 if (botException())
     return;
 
 // certain user agents are allowed to use the website without a captcha
 if (isUserAgentException())
     return;
@@ -1678,31 +1678,32 @@
 boolean userIdFound = FALSE, sessionIdFound = FALSE;
 
 AllocVar(cart);
 cart->hash = newHash(12);
 cart->exclude = newHash(7);
 cart->userId = userId;
 cart->sessionId = sessionId;
 cart->userInfo = loadDb(conn, userDbTable(), userId, &userIdFound);
 
 cart->sessionInfo = loadDb(conn, sessionDbTable(), sessionId, &sessionIdFound);
 
 boolean fromCli = cgiWasSpoofed(); // QA runs our CGIs from the command line and we debug from there
 
 forceUserIdOrCaptcha(cart, userId, userIdFound, fromCli);
 
-// we rely on the cookie being validated, so if we reset a cookie, do this after the captcha
+// we rely on the cookie being validated later, so if user requested to reset the cookie settings
+// load the settings after the captcha has been checked
 if ( cgiOptionalString("ignoreCookie") != NULL )
     cart->userInfo = loadDb(conn, userDbTable(), NULL, &userIdFound);
 
 if (sessionIdFound)
     cartParseOverHash(cart, cart->sessionInfo->contents);
 else if (userIdFound)
     cartParseOverHash(cart, cart->userInfo->contents);
 else
     {
     char *defaultCartContents = getDefaultCart(conn);
     cartParseOverHash(cart, defaultCartContents);
     }
 char when[1024];
 safef(when, sizeof(when), "open %s %s", userId, sessionId);
 cartTrace(cart, when, conn);