I'm using out-of-the-box user authentication with CookieCrumbler. Everything seems fine except that the identified user in the Z2.log file is wrong. The site structure is something like root--foldera--folderb--userroot--stuff--... | | acl_users acl_users & CookieCrumbler The root acl_users authenticates administrative folks. There is no CookieCrumbler in the root folder. Anonymous users get sent off to the userroot where they authenticate with the second acl_users. But, their user name apparently never gets set properly for logging via the Z2.log. Internally, everything is set properly with _.SecurityGetUser().gtetUserName() returning the user's login name, etc. I assume there is some method which needs to be called to update the username for logging purposes when the login is upgraded, but I've been unable to find it. Or is this a problem caused by the lack of a CookieCrumbler in the root folder....