c836c93b81
Fix session cookies being sent in publicly cached /autocomplete.json responses. We can't set any cookies in a response that is being publicly cached, otherwise they'll be visible to other users. If a user's session cookies were to be cached, then it would allow their account to be stolen. In reality, well-behaved caches like Cloudflare will simply refuse to cache responses that contain cookies to avoid this scenario. https://support.cloudflare.com/hc/en-us/articles/200172516-Understanding-Cloudflare-s-CDN: BYPASS is returned when enabling Origin Cache-Control. Cloudflare also sets BYPASS when your origin web server sends cookies in the response header.