When the anonymous cache forces users into anonymous mode, it strips the cookies from their request. However, the discourse-logged-in header from the JS client remained.
When the discourse-logged-in header is present without any valid auth_token, the current_user_provider [marks the request as ‘logged out’, and a discourse-logged-out header is returned to the client. This causes the JS app to popup a “you were logged out” modal, which is very disruptive.
This commit strips the discourse-logged-in header from the request at the same time as the auth cookie.