undeprecate remember/forget functions and remove remember_userid/forget_userid methods from request

13 files changed, 183 insertions, 365 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 20b7726c4..9f780fe45 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -4,23 +4,13 @@ Unreleased
 Features
 --------
 
-- Authentication and authorization APIs have been added as as methods of the
-  request: ``request.has_permission``, ``request.forget_userid``, and
-  ``request.remember_userid``.
+- An authorization API has been added as a method of the
+  request: ``request.has_permission``.
 
   ``request.has_permission`` is a method-based alternative to the
   ``pyramid.security.has_permission`` API and works exactly the same.  The
   older API is now deprecated.
 
-  ``request.forget_userid`` and ``request.remember_userid`` are method-based
-  alternatives to ``pyramid.security.forget`` and
-  ``pyramid.security.remember``.  These do not work exacly the same as their
-  function counterparts, however.  These methods automatically set the headers
-  returned by the authentication policy on the response, whereas the older
-  function-based APIs returned a sequence of headers and required the caller to
-  set those headers.  The older function-based API still works but is now
-  deprecated.
-
 - Property API attributes have been added to the request for easier access to
   authentication data: ``request.authenticated_userid``,
   ``request.unauthenticated_userid``, and ``request.effective_principals``.
diff --git a/docs/api/request.rst b/docs/api/request.rst
index 661cdfc91..b7604020e 100644
--- a/docs/api/request.rst
+++ b/docs/api/request.rst
@@ -13,8 +13,7 @@
                      current_route_path, static_url, static_path,
                      model_url, resource_url, set_property, 
                      effective_principals, authenticated_userid,
-                     unauthenticated_userid, has_permission, forget_userid,
-                     remember_userid
+                     unauthenticated_userid, has_permission
 
    .. attribute:: context
 
@@ -254,10 +253,6 @@
       request provided by e.g. the ``pshell`` environment.  For more
       information, see :ref:`subrequest_chapter`.
 
-   .. automethod:: remember_userid
-
-   .. automethod:: forget_userid
-
    .. automethod:: has_permission
 
    .. automethod:: add_response_callback
diff --git a/docs/quick_tutorial/authentication/tutorial/views.py b/docs/quick_tutorial/authentication/tutorial/views.py
index 240a23d3e..ab46eb2dd 100644
--- a/docs/quick_tutorial/authentication/tutorial/views.py
+++ b/docs/quick_tutorial/authentication/tutorial/views.py
@@ -1,4 +1,9 @@
 from pyramid.httpexceptions import HTTPFound
+from pyramid.security import (
+    remember,
+    forget,
+    )
+
 from pyramid.view import (
     view_config,
     view_defaults
@@ -36,8 +41,9 @@ class TutorialViews:
             login = request.params['login']
             password = request.params['password']
             if USERS.get(login) == password:
-                request.remember_userid(login)
-                return HTTPFound(location=came_from)
+                headers = remember(request, login)
+                return HTTPFound(location=came_from,
+                                 headers=headers)
             message = 'Failed login'
 
         return dict(
@@ -52,6 +58,7 @@ class TutorialViews:
     @view_config(route_name='logout')
     def logout(self):
         request = self.request
-        request.forget_userid()
+        headers = forget(request)
         url = request.route_url('home')
-        return HTTPFound(location=url)
+        return HTTPFound(location=url,
+                         headers=headers)
diff --git a/docs/quick_tutorial/authorization/tutorial/views.py b/docs/quick_tutorial/authorization/tutorial/views.py
index 2ce2c37b4..43d14455a 100644
--- a/docs/quick_tutorial/authorization/tutorial/views.py
+++ b/docs/quick_tutorial/authorization/tutorial/views.py
@@ -1,4 +1,9 @@
 from pyramid.httpexceptions import HTTPFound
+from pyramid.security import (
+    remember,
+    forget,
+    )
+
 from pyramid.view import (
     view_config,
     view_defaults,
@@ -38,8 +43,9 @@ class TutorialViews:
             login = request.params['login']
             password = request.params['password']
             if USERS.get(login) == password:
-                request.remember_userid(login)
-                return HTTPFound(location=came_from)
+                headers = remember(request, login)
+                return HTTPFound(location=came_from,
+                                 headers=headers)
             message = 'Failed login'
 
         return dict(
@@ -54,6 +60,7 @@ class TutorialViews:
     @view_config(route_name='logout')
     def logout(self):
         request = self.request
-        request.forget_userid()
+        headers = forget(request)
         url = request.route_url('home')
-        return HTTPFound(location=url)
+        return HTTPFound(location=url,
+                         headers=headers)
diff --git a/docs/tutorials/wiki/authorization.rst b/docs/tutorials/wiki/authorization.rst
index bba303d7f..62b1164e3 100644
--- a/docs/tutorials/wiki/authorization.rst
+++ b/docs/tutorials/wiki/authorization.rst
@@ -197,24 +197,24 @@ Add the following import statements to the
 head of ``tutorial/tutorial/views.py``:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 6-11
+   :lines: 6-13,15-17
    :linenos:
-   :emphasize-lines: 3,6
+   :emphasize-lines: 3,6-9,11
    :language: python
 
 (Only the highlighted lines, with other necessary modifications,
 need to be added.)
 
-:func:`~pyramid.view.forbidden_view_config` will be used
+:meth:`~pyramid.view.forbidden_view_config` will be used
 to customize the default 403 Forbidden page.
-:meth:`~pyramid.request.Request.remember_userid` and
-:meth:`~pyramid.request.Request.forget_userid` help to create and
+:meth:`~pyramid.security.remember` and
+:meth:`~pyramid.security.forget` help to create and
 expire an auth ticket cookie.
 
 Now add the ``login`` and ``logout`` views:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 76-102
+   :lines: 82-120
    :linenos:
    :language: python
 
@@ -267,9 +267,8 @@ like this:
 (Only the highlighted line and a trailing comma on the preceding
 line need to be added.)
 
-:attr:`~pyramid.request.Request.authenticated_userid` will return ``None``
-if the user is not authenticated, or a user id if the user is
-authenticated.
+The :meth:`pyramid.request.Request.authenticated_userid` will be ``None`` if
+the user is not authenticated, or a user id if the user is authenticated.
 
 Add a "Logout" link when logged in
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -317,7 +316,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
-   :emphasize-lines: 8,11,18,23,42,46,62,66,74,80,76-107
+   :emphasize-lines: 8,11-15,17,24,29,48,52,68,72,80,82-120
    :language: python
 
 (Only the highlighted lines need to be added.)
diff --git a/docs/tutorials/wiki/src/authorization/tutorial/views.py b/docs/tutorials/wiki/src/authorization/tutorial/views.py
index 57529ac8d..62e96e0e7 100644
--- a/docs/tutorials/wiki/src/authorization/tutorial/views.py
+++ b/docs/tutorials/wiki/src/authorization/tutorial/views.py
@@ -8,6 +8,12 @@ from pyramid.view import (
     forbidden_view_config,
     )
 
+from pyramid.security import (
+    remember,
+    forget,
+    )
+
+
 from .security import USERS
 from .models import Page
 
@@ -89,8 +95,9 @@ def login(request):
         login = request.params['login']
         password = request.params['password']
         if USERS.get(login) == password:
-            request.remember_userid(login)
-            return HTTPFound(location=came_from)
+            headers = remember(request, login)
+            return HTTPFound(location = came_from,
+                             headers = headers)
         message = 'Failed login'
 
     return dict(
@@ -103,5 +110,6 @@ def login(request):
 
 @view_config(context='.models.Wiki', name='logout')
 def logout(request):
-    request.forget_userid()
-    return HTTPFound(location=request.resource_url(request.context))
+    headers = forget(request)
+    return HTTPFound(location = request.resource_url(request.context),
+                     headers = headers)
diff --git a/docs/tutorials/wiki/src/tests/tutorial/views.py b/docs/tutorials/wiki/src/tests/tutorial/views.py
index 57529ac8d..62e96e0e7 100644
--- a/docs/tutorials/wiki/src/tests/tutorial/views.py
+++ b/docs/tutorials/wiki/src/tests/tutorial/views.py
@@ -8,6 +8,12 @@ from pyramid.view import (
     forbidden_view_config,
     )
 
+from pyramid.security import (
+    remember,
+    forget,
+    )
+
+
 from .security import USERS
 from .models import Page
 
@@ -89,8 +95,9 @@ def login(request):
         login = request.params['login']
         password = request.params['password']
         if USERS.get(login) == password:
-            request.remember_userid(login)
-            return HTTPFound(location=came_from)
+            headers = remember(request, login)
+            return HTTPFound(location = came_from,
+                             headers = headers)
         message = 'Failed login'
 
     return dict(
@@ -103,5 +110,6 @@ def login(request):
 
 @view_config(context='.models.Wiki', name='logout')
 def logout(request):
-    request.forget_userid()
-    return HTTPFound(location=request.resource_url(request.context))
+    headers = forget(request)
+    return HTTPFound(location = request.resource_url(request.context),
+                     headers = headers)
diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 830cb0277..1e5d0dcbf 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -221,23 +221,23 @@ Add the following import statements to the
 head of ``tutorial/tutorial/views.py``:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 9-12,19
+   :lines: 9-19
    :linenos:
-   :emphasize-lines: 3,5
+   :emphasize-lines: 3,6-9,11
    :language: python
 
 (Only the highlighted lines need to be added.)
 
-:func:`~pyramid.view.forbidden_view_config` will be used
+:meth:`~pyramid.view.forbidden_view_config` will be used
 to customize the default 403 Forbidden page.
-:meth:`~pyramid.request.Request.remember_userid` and
-:meth:`~pyramid.request.Request.forget_userid` help to create and
+:meth:`~pyramid.security.remember` and
+:meth:`~pyramid.security.forget` help to create and
 expire an auth ticket cookie.
 
 Now add the ``login`` and ``logout`` views:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 85-115
+   :lines: 91-123
    :linenos:
    :language: python
 
@@ -289,7 +289,7 @@ like this:
 
 (Only the highlighted line needs to be added.)
 
-The :attr:`~pyramid.request.Request.authenticated_userid` property will return
+The :meth:`~pyramid.request.Request.authenticated_userid` property will be
 ``None`` if the user is not authenticated.
 
 Add a "Logout" link when logged in
@@ -338,7 +338,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
-   :emphasize-lines: 11,19,25,31,52,55,67,70,82,85-115
+   :emphasize-lines: 11,14-19,25,31,37,58,61,73,76,88,91-117,119-123
    :language: python
 
 (Only the highlighted lines need to be added.)
diff --git a/docs/tutorials/wiki2/src/authorization/tutorial/views.py b/docs/tutorials/wiki2/src/authorization/tutorial/views.py
index 110d738c2..e954d5a31 100644
--- a/docs/tutorials/wiki2/src/authorization/tutorial/views.py
+++ b/docs/tutorials/wiki2/src/authorization/tutorial/views.py
@@ -11,12 +11,18 @@ from pyramid.view import (
     forbidden_view_config,
     )
 
+from pyramid.security import (
+    remember,
+    forget,
+    )
+
+from .security import USERS
+
 from .models import (
     DBSession,
     Page,
     )
 
-from .security import USERS
 
 # regular expression used to find WikiWords
 wikiwords = re.compile(r"\b([A-Z]\w+[A-Z]+\w+)")
@@ -78,8 +84,8 @@ def edit_page(request):
                                                       pagename=pagename))
     return dict(
         page=page,
-        save_url = request.route_url('edit_page', pagename=pagename),
-        logged_in=request.authenticated_userid,
+        save_url=request.route_url('edit_page', pagename=pagename),
+        logged_in=request.authenticated_userid
         )
 
 @view_config(route_name='login', renderer='templates/login.pt')
@@ -97,8 +103,9 @@ def login(request):
         login = request.params['login']
         password = request.params['password']
         if USERS.get(login) == password:
-            request.remember_userid(login)
-            return HTTPFound(location = came_from)
+            headers = remember(request, login)
+            return HTTPFound(location = came_from,
+                             headers = headers)
         message = 'Failed login'
 
     return dict(
@@ -111,6 +118,7 @@ def login(request):
 
 @view_config(route_name='logout')
 def logout(request):
-    request.forget_userid()
-    return HTTPFound(location = request.route_url('view_wiki'))
+    headers = forget(request)
+    return HTTPFound(location = request.route_url('view_wiki'),
+                     headers = headers)
     
diff --git a/docs/tutorials/wiki2/src/tests/tutorial/views.py b/docs/tutorials/wiki2/src/tests/tutorial/views.py
index 110d738c2..41bea4785 100644
--- a/docs/tutorials/wiki2/src/tests/tutorial/views.py
+++ b/docs/tutorials/wiki2/src/tests/tutorial/views.py
@@ -11,12 +11,18 @@ from pyramid.view import (
     forbidden_view_config,
     )
 
+from pyramid.security import (
+    remember,
+    forget,
+    )
+
+from .security import USERS
+
 from .models import (
     DBSession,
     Page,
     )
 
-from .security import USERS
 
 # regular expression used to find WikiWords
 wikiwords = re.compile(r"\b([A-Z]\w+[A-Z]+\w+)")
@@ -78,8 +84,8 @@ def edit_page(request):
                                                       pagename=pagename))
     return dict(
         page=page,
-        save_url = request.route_url('edit_page', pagename=pagename),
-        logged_in=request.authenticated_userid,
+        save_url=request.route_url('edit_page', pagename=pagename),
+        logged_in=request.authenticated_userid
         )
 
 @view_config(route_name='login', renderer='templates/login.pt')
@@ -97,8 +103,9 @@ def login(request):
         login = request.params['login']
         password = request.params['password']
         if USERS.get(login) == password:
-            request.remember_userid(login)
-            return HTTPFound(location = came_from)
+            headers = remember(request, login)
+            return HTTPFound(location = came_from,
+                             headers = headers)
         message = 'Failed login'
 
     return dict(
@@ -111,6 +118,6 @@ def login(request):
 
 @view_config(route_name='logout')
 def logout(request):
-    request.forget_userid()
-    return HTTPFound(location = request.route_url('view_wiki'))
-    
+    headers = forget(request)
+    return HTTPFound(location = request.route_url('view_wiki'),
+                     headers = headers)
diff --git a/pyramid/security.py b/pyramid/security.py
index 7a65d22ce..58fa9332a 100644
--- a/pyramid/security.py
+++ b/pyramid/security.py
@@ -38,6 +38,10 @@ def _get_registry(request):
         reg = get_current_registry() # b/c
     return reg
 
+def _get_authentication_policy(request):
+    registry = _get_registry(request)
+    return registry.queryUtility(IAuthenticationPolicy)
+
 def has_permission(permission, context, request):
     """
     A function that calls
@@ -113,8 +117,8 @@ deprecated(
 
 def remember(request, principal, **kw):
     """
-    Returns a sequence of header tuples (e.g. ``[('Set-Cookie',
-    'foo=abc')]``) on this request's response.
+    Returns a sequence of header tuples (e.g. ``[('Set-Cookie', 'foo=abc')]``)
+    on this request's response.
     These headers are suitable for 'remembering' a set of credentials
     implied by the data passed as ``principal`` and ``*kw`` using the
     current :term:`authentication policy`.  Common usage might look
@@ -126,6 +130,7 @@ def remember(request, principal, **kw):
 
        from pyramid.security import remember
        headers = remember(request, 'chrism', password='123', max_age='86400')
+       response = request.response
        response.headerlist.extend(headers)
        return response
 
@@ -133,23 +138,11 @@ def remember(request, principal, **kw):
     always return an empty sequence. If used, the composition and
     meaning of ``**kw`` must be agreed upon by the calling code and
     the effective authentication policy.
-
-    .. deprecated:: 1.5
-       Use :meth:`pyramid.request.Request.remember_userid` instead.
-       but be sure to read its docs first; the remember_userid method is not an
-       exact analog of the remember function, because it sets headers instead
-       of returning them.
     """
-    return request._remember_userid(principal, **kw)
-
-deprecated(
-    'remember',
-    'As of Pyramid 1.5 the "pyramid.security.remember" API is '
-    'now deprecated.  It will be removed in Pyramd 1.8.  Use the '
-    '"remember_userid" method of the Pyramid request instead, but be sure to '
-    'read the docs first; the remember_userid method is not an exact analog of '
-    'the remember function, because it sets headers instead of returning them.'
-    )
+    policy = _get_authentication_policy(request)
+    if policy is None:
+        return []
+    return policy.remember(request, principal, **kw)
 
 def forget(request):
     """
@@ -169,21 +162,12 @@ def forget(request):
     always return an empty sequence.
 
     .. deprecated:: 1.5
-       Use :meth:`pyramid.request.Request.forget_userid` instead.
-       but be sure to read its docs first; the forget_userid method is not an
-       exact analog of the forget function, because it sets headers instead
-       of returning them.
+       Use :meth:`pyramid.request.Request.get_logout_headers` instead.
     """            
-    return request._forget_userid()
-
-deprecated(
-    'forget',
-    'As of Pyramid 1.5 the "pyramid.security.forget" API is '
-    'now deprecated.  It will be removed in Pyramd 1.8.  Use the '
-    '"forget_user" method of the Pyramid request instead, but be sure to '
-    'read the docs first; the forget_userid method is not an exact analog of '
-    'the forget function, because it sets headers instead of returning them.'
-    )
+    policy = _get_authentication_policy(request)
+    if policy is None:
+        return []
+    return policy.forget(request)
 
 def principals_allowed_by_permission(context, permission):
     """ Provided a ``context`` (a resource object), and a ``permission``
@@ -371,97 +355,6 @@ class AuthenticationAPIMixin(object):
             return [Everyone]
         return policy.effective_principals(self)
     
-    # b/c
-    def _remember_userid(self, principal, **kw):
-        policy = self._get_authentication_policy()
-        if policy is None:
-            return []
-        return policy.remember(self, principal, **kw)
-
-    def remember_userid(self, principal, on_exception=False, **kw):
-        """ Using a response callback, sets authentication headers on the
-        response eventually returned by the view executed by this request
-        suitable for loggin a user in.  These headers are used for
-        'remembering' a set of credentials implied by the data passed as
-        ``principal`` and ``*kw`` using the current :term:`authentication
-        policy`.  Common usage might look like so within the body of a view
-        function:
-
-        .. code-block:: python
-
-           request.remember_userid('chrism', password='123', max_age='86400')
-
-        This method always returns ``None``; it is called only for its side
-        effects.
-
-        If no :term:`authentication policy` is in use, this function will
-        do nothing. If used, the composition and
-        meaning of ``**kw`` must be agreed upon by the calling code and
-        the effective authentication policy.
-
-        One special keyword value is understood by this method:
-        ``on_exception``.  Usually if an exception occurs within the same
-        request after this method is called, the headers provided by the
-        authentication policy will not be set on the response.  If
-        ``on_exception`` is passed, and as ``True``, then the headers will be
-        set on the response even if an exception is later raised.  By default
-        this value is ``False``.
-
-        .. versionadded:: 1.5
-
-        """
-        def callback(req, response):
-            # do not set the headers on an exception unless explicitly
-            # instructed
-            exc = getattr(req, 'exception', None)
-            if exc is None or on_exception:
-                # NB: this call to _remember_userid should be exactly here
-                # because some policies actually add another response callback
-                # when their remember method is called, and we dont want them
-                # to do that if there's an exception in the default case.
-                headers = req._remember_userid(principal, **kw)
-                response.headerlist.extend(headers)
-        self.add_response_callback(callback)
-
-    # b/c
-    def _forget_userid(self):
-        policy = self._get_authentication_policy()
-        if policy is None:
-            return []
-        return policy.forget(self)
-
-    def forget_userid(self, on_exception=False):
-        """ Using a response callback, sets authentication headers suitable for
-        logging a user out on the response returned by the view executed during
-        this request based on the current :term:`authentication policy`.
-
-        If no :term:`authentication policy` is in use, this function will
-        be a noop.
-
-        This method always returns ``None``; it is called only for its side
-        effects.
-
-        One special keyword value is understood by this method:
-        ``on_exception``.  Usually if an exception occurs within the same
-        request after this method is called, the headers provided by the
-        authentication policy will not be set on the response.  If
-        ``on_exception`` is passed, and as ``True``, then the headers will be
-        set on the response even if an exception is later raised.  By default
-        this value is ``False``.
-
-        .. versionadded:: 1.5
-        """
-        def callback(req, response):
-            exc = getattr(req, 'exception', None)
-            if exc is None or on_exception:
-                # NB: this call to _forget_userid should be exactly here
-                # because some policies actually add another response callback
-                # when their forget method is called, and we dont want them
-                # to do that if there's an exception in the default case.
-                headers = req._forget_userid()
-                response.headerlist.extend(headers)
-        self.add_response_callback(callback)
-
 class AuthorizationAPIMixin(object):
 
     def has_permission(self, permission, context=None):
diff --git a/pyramid/tests/test_config/test_testing.py b/pyramid/tests/test_config/test_testing.py
index d13cb9285..05561bfe9 100644
--- a/pyramid/tests/test_config/test_testing.py
+++ b/pyramid/tests/test_config/test_testing.py
@@ -25,31 +25,28 @@ class TestingConfiguratorMixinTests(unittest.TestCase):
         self.assertEqual(ut.permissive, False)
 
     def test_testing_securitypolicy_remember_result(self):
+        from pyramid.security import remember
         config = self._makeOne(autocommit=True)
         pol = config.testing_securitypolicy(
             'user', ('group1', 'group2'),
-            permissive=False,
-            remember_result=[('X-Pyramid-Test', True)])
+            permissive=False, remember_result=True)
         request = DummyRequest()
         request.registry = config.registry
-        request.remember_userid('fred')
+        val = remember(request, 'fred')
         self.assertEqual(pol.remembered, 'fred')
-        val = dict(request.response.headerlist).get('X-Pyramid-Test')
         self.assertEqual(val, True)
 
     def test_testing_securitypolicy_forget_result(self):
+        from pyramid.security import forget
         config = self._makeOne(autocommit=True)
         pol = config.testing_securitypolicy(
             'user', ('group1', 'group2'),
-            permissive=False,
-            forget_result=[('X-Pyramid-Test', True)])
+            permissive=False, forget_result=True)
         request = DummyRequest()
         request.registry = config.registry
-        request.response = DummyResponse()
-        request.forget_userid()
+        val = forget(request)
         self.assertEqual(pol.forgotten, True)
-        val = dict(request.response.headerlist).get('X-Pyramid-Test')
-        self.assertTrue(val)
+        self.assertEqual(val, True)
 
     def test_testing_resources(self):
         from pyramid.traversal import find_resource
@@ -200,24 +197,9 @@ from zope.interface import implementer
 class DummyEvent:
     pass
 
-class DummyResponse(object):
-    def __init__(self):
-        self.headers = []
-
-    @property
-    def headerlist(self):
-        return self.headers
-
 class DummyRequest(AuthenticationAPIMixin, AuthorizationAPIMixin):
-    subpath = ()
-    matchdict = None
     def __init__(self, environ=None):
         if environ is None:
             environ = {}
         self.environ = environ
-        self.params = {}
-        self.cookies = {}
-        self.response = DummyResponse()
         
-    def add_response_callback(self, callback):
-        callback(self, self.response)
diff --git a/pyramid/tests/test_security.py b/pyramid/tests/test_security.py
index 96f171324..6f08a100c 100644
--- a/pyramid/tests/test_security.py
+++ b/pyramid/tests/test_security.py
@@ -127,6 +127,69 @@ class TestPrincipalsAllowedByPermission(unittest.TestCase):
         result = self._callFUT(context, 'view')
         self.assertEqual(result, 'yo')
 
+class TestRemember(unittest.TestCase):
+    def setUp(self):
+        testing.setUp()
+        
+    def tearDown(self):
+        testing.tearDown()
+
+    def _callFUT(self, *arg):
+        from pyramid.security import remember
+        return remember(*arg)
+
+    def test_no_authentication_policy(self):
+        request = _makeRequest()
+        result = self._callFUT(request, 'me')
+        self.assertEqual(result, [])
+
+    def test_with_authentication_policy(self):
+        request = _makeRequest()
+        registry = request.registry
+        _registerAuthenticationPolicy(registry, 'yo')
+        result = self._callFUT(request, 'me')
+        self.assertEqual(result, [('X-Pyramid-Test', 'me')])
+
+    def test_with_authentication_policy_no_reg_on_request(self):
+        from pyramid.threadlocal import get_current_registry
+        registry = get_current_registry()
+        request = _makeRequest()
+        del request.registry
+        _registerAuthenticationPolicy(registry, 'yo')
+        result = self._callFUT(request, 'me')
+        self.assertEqual(result, [('X-Pyramid-Test', 'me')])
+
+class TestForget(unittest.TestCase):
+    def setUp(self):
+        testing.setUp()
+        
+    def tearDown(self):
+        testing.tearDown()
+
+    def _callFUT(self, *arg):
+        from pyramid.security import forget
+        return forget(*arg)
+
+    def test_no_authentication_policy(self):
+        request = _makeRequest()
+        result = self._callFUT(request)
+        self.assertEqual(result, [])
+
+    def test_with_authentication_policy(self):
+        request = _makeRequest()
+        _registerAuthenticationPolicy(request.registry, 'yo')
+        result = self._callFUT(request)
+        self.assertEqual(result, [('X-Pyramid-Test', 'logout')])
+
+    def test_with_authentication_policy_no_reg_on_request(self):
+        from pyramid.threadlocal import get_current_registry
+        registry = get_current_registry()
+        request = _makeRequest()
+        del request.registry
+        _registerAuthenticationPolicy(registry, 'yo')
+        result = self._callFUT(request)
+        self.assertEqual(result, [('X-Pyramid-Test', 'logout')])
+        
 class TestViewExecutionPermitted(unittest.TestCase):
     def setUp(self):
         testing.setUp()
@@ -312,149 +375,6 @@ class TestEffectivePrincipals(unittest.TestCase):
         _registerAuthenticationPolicy(registry, 'yo')
         self.assertEqual(request.effective_principals, 'yo')
 
-class TestRememberUserId(unittest.TestCase):
-    principal = 'the4th'
-
-    def setUp(self):
-        testing.setUp()
-
-    def tearDown(self):
-        testing.tearDown()
-        
-    def assert_response_headers(self, request, expected_headers):
-        request._process_response_callbacks(request.response)
-        headers = request.response.headerlist
-        self.assertEqual(list(expected_headers), list(headers))
-
-    def test_backward_compat_delegates_to_mixin(self):
-        from zope.deprecation import __show__
-        try:
-            __show__.off()
-            request = _makeFakeRequest()
-            from pyramid.security import remember
-            self.assertEqual(
-                remember(request, 'matt'),
-                [('X-Pyramid-Test', 'remember_userid')]
-                )
-        finally:
-            __show__.on()
-
-    def test_with_no_authentication_policy(self):
-        request = _makeRequest()
-        headers_before = request.response.headerlist
-        request.remember_userid(self.principal)
-        self.assert_response_headers(request, headers_before)
-
-    def test_with_authentication_policy(self):
-        request = _makeRequest()
-        headers_before = request.response.headerlist
-        expected_headers = headers_before[:] + [(_TEST_HEADER, self.principal)]
-        _registerAuthenticationPolicy(request.registry, self.principal)
-        request.remember_userid(self.principal)
-        self.assert_response_headers(request, expected_headers)
-
-    def test_with_authentication_policy_no_reg_on_request(self):
-        from pyramid.threadlocal import get_current_registry
-        registry = get_current_registry()
-        request = _makeRequest()
-        del request.registry
-        _registerAuthenticationPolicy(registry, self.principal)
-        headers_before = request.response.headerlist
-        request.remember_userid(self.principal)
-        expected_headers = headers_before[:] + [(_TEST_HEADER, self.principal)]
-        self.assert_response_headers(request, expected_headers)
-
-    def test_request_has_exception_attr_no_on_exception_flag(self):
-        request = _makeRequest()
-        headers_before = request.response.headerlist
-        _registerAuthenticationPolicy(request.registry, self.principal)
-        request.exception = True
-        request.remember_userid(self.principal)
-        self.assert_response_headers(request, headers_before)
-
-    def test_request_has_exception_attr_with_on_exception_flag(self):
-        request = _makeRequest()
-        headers_before = request.response.headerlist
-        _registerAuthenticationPolicy(request.registry, self.principal)
-        request.exception = True
-        request.remember_userid(self.principal, on_exception=True)
-        expected_headers = headers_before[:] + [(_TEST_HEADER, self.principal)]
-        self.assert_response_headers(request, expected_headers)
-        
-class TestForgetUserId(unittest.TestCase):
-    principal = 'me-not'
-
-    def setUp(self):
-        testing.setUp()
-
-    def tearDown(self):
-        testing.tearDown()
-        
-    def assert_response_headers(self, request, expected_headers):
-        request._process_response_callbacks(request.response)
-        headers = request.response.headerlist
-        self.assertEqual(list(expected_headers), list(headers))
-
-    def _makeOne(self):
-        request = _makeRequest()
-        request.response.headers.add(_TEST_HEADER, self.principal)
-        return request
-
-    def test_backward_compat_delegates_to_mixin(self):
-        from zope.deprecation import __show__
-        try:
-            __show__.off()
-            request = _makeFakeRequest()
-            from pyramid.security import forget
-            self.assertEqual(
-                forget(request),
-                [('X-Pyramid-Test', 'forget_userid')],
-                )
-        finally:
-            __show__.on()
-
-    def test_with_no_authentication_policy(self):
-        request = self._makeOne()
-        headers_before = request.response.headerlist
-        request.forget_userid()
-        self.assert_response_headers(request, headers_before)
-
-    def test_with_authentication_policy(self):
-        request = self._makeOne()
-        headers_before = request.response.headerlist
-        expected_headers = headers_before[:] + [(_TEST_HEADER, 'forget_userid')]
-        _registerAuthenticationPolicy(request.registry, self.principal)
-        request.forget_userid()
-        self.assert_response_headers(request, expected_headers)
-        
-    def test_with_authentication_policy_no_reg_on_request(self):
-        from pyramid.threadlocal import get_current_registry
-        registry = get_current_registry()
-        request = self._makeOne()
-        del request.registry
-        _registerAuthenticationPolicy(registry, self.principal)
-        headers_before = request.response.headerlist
-        request.forget_userid()
-        expected_headers = headers_before[:] + [(_TEST_HEADER, 'forget_userid')]
-        self.assert_response_headers(request, expected_headers)
-
-    def test_request_has_exception_attr_no_on_exception_flag(self):
-        request = self._makeOne()
-        headers_before = request.response.headerlist
-        _registerAuthenticationPolicy(request.registry, self.principal)
-        request.exception = True
-        request.forget_userid()
-        self.assert_response_headers(request, headers_before)
-
-    def test_request_has_exception_attr_with_on_exception_flag(self):
-        request = self._makeOne()
-        headers_before = request.response.headerlist
-        _registerAuthenticationPolicy(request.registry, self.principal)
-        request.exception = True
-        request.forget_userid(on_exception=True)
-        expected_headers = headers_before[:] + [(_TEST_HEADER, 'forget_userid')]
-        self.assert_response_headers(request, expected_headers)
-        
 class TestHasPermission(unittest.TestCase):
     def setUp(self):
         testing.setUp()
@@ -548,7 +468,7 @@ class DummyAuthenticationPolicy:
         return headers
 
     def forget(self, request):
-        headers = [(_TEST_HEADER, 'forget_userid')]
+        headers = [(_TEST_HEADER, 'logout')]
         self._header_forgotten = headers[0]
         return headers
 
@@ -595,11 +515,5 @@ def _makeFakeRequest():
         def effective_principals(req):
             return 'effective_principals'
 
-        def _forget_userid(req):
-            return [('X-Pyramid-Test', 'forget_userid')]
-
-        def _remember_userid(req, principal, **kw):
-            return [('X-Pyramid-Test', 'remember_userid')]    
-
     return FakeRequest({})