Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -N -r1.115 -r1.116
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl	25 Nov 2018 17:34:55 -0000	1.115
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl	26 Nov 2018 14:09:06 -0000	1.116
@@ -170,6 +170,23 @@
         set user_id 0
         set account_status closed
 
+        if {$login_level > 0} {
+            #
+            # Check if we have a valid login cookie, since the
+            # login_level is just based on the session_cookie. On
+            # proper logouts via the web interface, this extra check
+            # should not be necessary. However, if someone hacks
+            # around with the cookies, we want to make sure that no
+            # user_id can set without a login cookie.
+            #
+            try {
+                sec_login_read_cookie
+            } trap {AD_EXCEPTION NO_COOKIE} {errorMsg} {
+                set login_level 0
+                ns_log warning "downgrade login_level since there is no login cookie provided"
+            }
+        }
+
         switch -- $login_level {
             1 {
                 set auth_level ok