I'm looking for any suggestions how to solve this problem. It's somewhat complicated. I'll try to be clear in explanation. Sorry for the double post, I'm not sure if this is a CMF/cookie crumbler issue, or a Zope issue. Zope 2.5.0 binary on RH Linux 7.1 with CMF beta 1.1 (will upgrade shortly, but I don't that's the issue). Layout of items is like this: / (zope root) /AdkWood (folder) /CMF (CMF Site) /Manage (has javascript source and index_html for one-page web app) /Members (folder) /bkc (folder) /mycompany (ZClass instance of SearchableCompany) /acl_users (for CMF) /acl_users (top level) In Products/SearchableCompanyProduct/SearchableCompany/methods CompanyRequest_py (python Script) Program Description: User navigates to /AdkWood/CMF/Manage This is a protected folder so they must be an Owner or Manager.. Get the login form screen and can authenticate with either CMF/acl_users username or root /acl_users username. The problem occurs either way. The Manage/index_html page template loads up lots of Javascript. It fills a select box with a list of URL paths to SearchableCompany Zclass instances that the user has the owner role on. On the client, when the user selects one of these items, the client javascript builds an XML-RPC request by taking the URL path of the SearchableCompany and calling the CompanyRequest_py method on it via XML-RPC. In Zope, after xmlrpc.py decodes the request, we get a path like: /AdkWood/CMF/Members/bkc/mycompany/CompanyRequest_py I can load the above URL in the same browser instance that had previously authenticated to Zope to get the /Manage/index_html page (cached cookie) and the request is processed correctly. However when I use xml-rpc to call the method, I get an "Unauthorized, no authentication header found" error. (about line 405 in BaseRequest.py) if user is None and roles != UNSPECIFIED_ROLES: response.unauthorized() Lots of print statements later, I find that user is None, and roles = ['Owner','Manager'] Using tcpwatch.py, I see that the xml-rpc request DOES include the authentication cookie previously received through the login process. It just doesn't seem to be honored by the higher level old_validation() methods. This is strange because the same browser instance, using the same cookie, can directly navigate to the same URL that the xml-rpc request is sending. As a quick hack, I changed vxXMLRPC (the xml-rpc javascript client) to send Basic authentication information in every request. When I do this, the xml-rpc method does work. However I'd rather not use it this way. So my question is.. Is it possible this is a cookie-crumbler issue because my Zclass instances are "inside" CMF, or is this somehow dependent on xml-rpc processing not working quite right on the server? Or, maybe this is related to authenticating first to /CMF/Manager folder, but then using the same auth cookie through /CMF/Members/... However I think this wouldn't be an issue.. Brad Clements, bkc@murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax AOL-IM: BKClements