-> One thing I've been meaning to put together and send in: the form token -> interface really needs an atomic "test and clear token" operation. -> Otherwise, in a multi-threaded server environment, you can still get nailed -> by the "they hit submit twice" problem. If "submit" is charging something -> to a credit card, you can't afford to let that happen... I don't see how this can happen with the current methods of publishing Quixote apps, because there is only ever one Publisher, and a single process handling it. What am I missing? ;) -> Regarding Greg's thoughts on user authentication: if request.session.user -> changes, I could end up with (another) cleanup job to do. Best to do that -> before 1.0 if you're going to - or wait for 2.0. I agree; I also don't see a strong need for it, myself, but I'd be happy to jump on the bandwagon ;). Has anyone taken a look at Webware's user stuff recently? I generally like the design thinking of the prepackaged Webware modules; a couple of months ago, the User classes were not terribly mature, but that may have changed. cheers, --titus