I also just posted this to the ExUserFolder list, but I realise it's not necessarily specific to that. *** Bit of a newbie here, so my statements may be in error... Here's an outline of my site: Root Folder acl_users ... subfolder acl_users (exUserFolder) ... protected, lower stuff If a browser navigates to the root of my site, they are anonymous (with respect to the top level acl_users). If they login via a subfolder (having its own acl_users), they are authenticated in that subfolder and lower, etc. However, if they navigate back to the root, they are again anonymous (in that context), but returning to the subfolder, they are still authenticated. Q.1) Is it possible for pages at the root level to obtain the user info with respect to the subfolder's acl_users rather than that of the root's? I realise you can call methods on acl_users like this: <span tal:replace="python:root.acl_users.getUserNames()"></span> <span tal:replace="python:root.subfolder.acl_users.getUserNames()"></span> But, how do you discriminate between the 'authenticated user's that you're interested in? In other words, is there a way of getting a contextualised 'user' object? I can only think of calling a script that's located in 'subfolder', but I'm not sure that'd work... Q.2) Is the '__ac' cookie stored with respect to the path of the subfolder? Or when I need to log the 'subfolder' user out should the path in the following still be '/' or should it be '/subfolder/' ? <div tal:define="dummy python:request['RESPONSE'].expireCookie('__ac',path='/')" /> OR <div tal:define="dummy python:request['RESPONSE'].expireCookie('__ac',path='/subfolder/')" /> ta for help :)