From 85213595ce2cbd78ac88f4d58fc825bcaa845355 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Sun, 10 Jun 2018 22:27:27 +0200
Subject: [PATCH 2/2] middleware: do not emit A2_OPENED_SESSION cookie on API
 requests (fixes #24407)

---
 src/authentic2/middleware.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/authentic2/middleware.py b/src/authentic2/middleware.py
index 06ea4967..3c24a19c 100644
--- a/src/authentic2/middleware.py
+++ b/src/authentic2/middleware.py
@@ -104,6 +104,9 @@ class CollectIPMiddleware(object):
 
 class OpenedSessionCookieMiddleware(object):
     def process_response(self, request, response):
+        # do not emit cookie for API requests
+        if request.path.startswith('/api/'):
+            return response
         if not app_settings.A2_OPENED_SESSION_COOKIE_DOMAIN:
             return response
         name = app_settings.A2_OPENED_SESSION_COOKIE_NAME
-- 
2.17.0