From 15d4efeb012998e7675657ea3d781562957a4f71 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Mon, 28 Oct 2013 17:11:53 -0400
Subject: defer looking up headers until the response callback is called (FBO
 things like sessionauthenticationpolicy which does its own header-setting
 when its remember/forget methods are called)

---
 pyramid/security.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyramid/security.py b/pyramid/security.py
index 1b52c9cb5..afca8cd9a 100644
--- a/pyramid/security.py
+++ b/pyramid/security.py
@@ -408,12 +408,12 @@ class AuthenticationAPIMixin(object):
         .. versionadded:: 1.5
 
         """
-        headers = self._remember_userid(principal, **kw)
         def callback(req, response):
             # do not set the headers on an exception unless explicitly
             # instructed
             exc = getattr(req, 'exception', None)
             if exc is None or on_exception:
+                headers = self._remember_userid(principal, **kw)
                 response.headerlist.extend(headers)
         self.add_response_callback(callback)
 
@@ -449,10 +449,10 @@ class AuthenticationAPIMixin(object):
 
         .. versionadded:: 1.5
         """
-        headers = self._forget_userid()
         def callback(req, response):
             exc = getattr(req, 'exception', None)
             if exc is None or on_exception:
+                headers = self._forget_userid()
                 response.headerlist.extend(headers)
         self.add_response_callback(callback)
 
-- 
cgit v1.2.3