Just because everyone loves quoting so much, I suggest the following patch, to 1.0b1: *** session.py Mon Apr 12 11:52:00 2004 --- session.py.new Thu Apr 22 13:02:23 2004 *************** *** 28,33 **** --- 28,34 ---- from quixote import get_publisher from quixote.errors import SessionError + import quixote.html try: # /dev/urandom is just as good as /dev/random for cookies (assuming *************** *** 345,351 **** if config.session_cookie_path: path = config.session_cookie_path else: ! path = request.environ['SCRIPT_NAME'] if not path.endswith("/"): path += "/" domain = config.session_cookie_domain --- 346,352 ---- if config.session_cookie_path: path = config.session_cookie_path else: ! path = quixote.html.url_quote(request.environ['SCRIPT_NAME']) if not path.endswith("/"): path += "/" domain = config.session_cookie_domain This is because browsers (well, my browser) set SCRIPT_NAME to the unquoted path, and consider a cookie with a path of '/~me/' different from '/%7Eme/'. So if your app properly url-quotes its paths, it's not going to get the cookie if session_cookie_path = None. If there are browsers that set SCRIPT_NAME already quoted, then I don't know what to do in the face of paths with '%' in them. I also recommend changing the the urllib.quote in http_request.py to quixote.html.url_quote, just so there's a single point of entry for url quoting. As an aside, is urllib ever justified in quoting '~'? It makes common paths ugly and humans always use '~', and in the light of cookie sensitivity, your session can suddenly stop working when you type in an url or come from a human written link that uses '~'.