--- a/roundup/cgi/client.py	Sun Jun 28 20:57:00 2020 -0400
+++ b/roundup/cgi/client.py	Mon Jun 29 15:48:04 2020 +0200
@@ -997,7 +997,14 @@
         user = None
         # first up, try http authorization if enabled
         cfg = self.instance.config
-        if cfg.WEB_HTTP_AUTH:
+        if cfg.WEB_COOKIE_TAKES_PRECEDENCE:
+            user = self.session_api.get('user')
+            if user:
+                # update session lifetime datestamp
+                self.session_api.update()
+                if 'REMOTE_USER' in self.env:
+                    del self.env['REMOTE_USER']
+        if not user and cfg.WEB_HTTP_AUTH:
             if 'REMOTE_USER' in self.env:
                 # we have external auth (e.g. by Apache)
                 user = self.env['REMOTE_USER']