I am using cookie crumbler with the default acl-users. The site organization (much simplified) looks like root - a - b - one- ... | c - d - two- ... There are separate acl-users folders at root, one, and two The acl-users folder at one and two are disjoint. The root acl-users folder is for admin and managers only. There are two cookie crumblers (default parameterization), each parallel with the acl-users folder in one and two. Each of the cookie crumblers references the default stuff (login_form, logged_in, etc.) The two subsites are supposed to be isolated from each other. This is done by roles. Access to site one requires one of two or three roles, access two requires other roles. Managers get to visit both. At least that's the plan. But there's several things wrong in terms of the observed behavior. I'd appreciate a little help from anyone who understands the interaction of Zope's security and the login mechanism.