remove auth_tkt if possible plus added comments to cookie removal code

ckan · Mar 20, 2012 · 7535aef · 7535aef
1 parent 41a6657
commit 7535aef
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/ckan/lib/base.py b/ckan/lib/base.py
@@ -180,17 +180,24 @@ def __call__(self, environ, start_response):
         # the request is routed to. This routing information is
         # available in environ['pylons.routes_dict']
 
-        # clean out any old cookies as they may contain api keys etc
+        # Clean out any old cookies as they may contain api keys etc
+        # This also improves the cachability of our pages as cookies
+        # prevent proxy servers from caching content unless they have
+        # been configured to ignore them.
         for cookie in request.cookies:
-            if cookie.startswith('ckan') and cookie not in ['ckan', 'ckan_killtopbar']:
+            if cookie.startswith('ckan') and cookie not in ['ckan']:
                 response.delete_cookie(cookie)
-
-            if cookie == 'ckan' and not c.user and not h.are_there_flash_messages():
+            # Remove the ckan session cookie if not used e.g. logged out
+            elif cookie == 'ckan' and not c.user and not h.are_there_flash_messages():
                 if session.id:
                     if not session.get('lang'):
                         session.delete()
                 else:
                     response.delete_cookie(cookie)
+            # Remove auth_tkt repoze.who cookie if user not logged in.
+            elif cookie == 'auth_tkt' and not session.id:
+                response.delete_cookie(cookie)
+
         try:
             return WSGIController.__call__(self, environ, start_response)
         finally: