Here's my ZODB structure: parent_folder -- child_folder_1 -- child_folder_2 I want users to be able to authenticate into each of the child folders independently, so I put an acl_users and cookie crumbler into each of the child folders (can be either standard user folder or XUF, makes no difference). I then define a single user in each child folder as follows: 'child_1' in 'child_folder_1/acl_users' 'child_2' in 'child_folder_2/acl_users' I set each cookie crumbler to 'Use cookie paths to limit scope'. I then put a file called 'login_stub' in each of the folders with its 'view' acquisition turned off. Point a browser at either of the 'login_stub's, and you get a login form; enter a valid name/pwd for that folder and you have access (of course, you had view access before, but now you have whatever rights the relevant user has, which may be more than just 'Anonymous'). Looking at a different child folder does the same thing again as you would expect. Inspecting the cookies shows their paths to be '/child_folder_1' etc. So, this gets me the ability to authenticate into each child folder separately, perhaps using a different user name. If I put an acl_users and cookie_crumbler into 'parent_folder' (to allow a different group of people to manage at that level), however, it all goes wrong. With these present, the cookie paths from the above example become '/', which seems to indicate that they are being generated in the parent_folder rather than the relevant child one. And login fails; presumably because the username supplied for (say) 'child_folder_1' is not valid for 'parent_folder'. If I remove the acl_users and cookie_crumbler from parent_folder, the child folders work fine again. To summarise: if the higher level ones are present, zope uses them. If not, it uses the child one as it should. Why should the presence or absence of the objects in 'parent_folder' affect the child's behaviour? I don't see how it can be caused by restrictive permissions on something in the child folders, since it wouldn't work without the parent_folder objects, but this seems to be kind of the opposite of what acquisition is supposed to do. Anyone run into this kind of thing or am I just trying to be too fine grained and it can't be done? Thanks in advance.... Phil Robinson PS Without the cookie crumblers present, each child seems to behave as you expect. Of course, you can only be logged into one at a time, but the presence or absence of an acl_users in 'parent_folder' doesn't affect their behaviour.