I got tired of dealing with the weird mechanics cookie-based logins have to deal with, where standard_html_error and tracebacks intrude on login intercepts. I came up with the following minor change, which works great for me, and might make GenericUserFolder's job easier, too. In ZPublisher/HTTPRequest.py (or SiteAccess/ChangeBehaviors.py, if you use SiteAccess), change the lines: if user is None and roles != UNSPECIFIED_ROLES: response.unauthorized() to: if user is None and roles != UNSPECIFIED_ROLES: object = response.unauthorized Under normal circumstances, this has no effect, since 'response.unauthorized' will be called as soon as it is returned and will raise its exception as usual. Now however, we add a twist; When the cookie-based authenticator fails, it replaces 'response.unauthorized' with its 'login' document. If no higher-level authentication succeeds, the 'login' document is rendered normally. Since 'response' is re-created with each request, this modification has no effect beyond the current request. What do you folks think? Cheers, Evan @ 4-am