2 files changed, 21 insertions, 12 deletions

diff --git a/docs/glossary.rst b/docs/glossary.rst
index 5edc4eeab..8152c7b96 100644
--- a/docs/glossary.rst
+++ b/docs/glossary.rst
@@ -303,9 +303,8 @@ Glossary
      request.  Oftentimes this is the ID of the user object in a database.
 
    identity
-     An identity is an object identifying the user associated with the
-     current request.  The identity can be any object, but security policies
-     should ensure that it represents a valid user (not deleted or deactivated).
+      An identity is an object identifying the user associated with the current request.
+      The object can be of any shape, such as a simple ID string or an ORM object.
 
    security policy
      A security policy in :app:`Pyramid` terms is an object implementing the
diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index cdc16b6a1..60be067bf 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -69,17 +69,21 @@ A simple security policy might look like the following:
     from pyramid.security import Allowed, Denied
 
     class SessionSecurityPolicy:
+        def authenticated_userid(self, request):
+            """ Return a string ID for the user. """
+            userid = self.identify(request).id
+            if validate_userid(request, userid):
+                return userid
+            else:
+                return None
+
         def identify(self, request):
             """ Return app-specific user object. """
-            userid = request.session.get('userid')
+            userid = self.authenticated_userid
             if userid is None:
                 return None
             return load_identity_from_db(request, userid)
 
-        def authenticated_userid(self, request):
-            """ Return a string ID for the user. """
-            return self.identify(request).id
-
         def permits(self, request, context, permission):
             """ Allow access to everything if signed in. """
             identity = self.identify(request)
@@ -141,12 +145,18 @@ For example, our above security policy can leverage these helpers like so:
         def __init__(self):
             self.helper = SessionAuthenticationHelper()
 
-        def identify(self, request):
+        def authenticated_userid(self, request):
             userid = self.helper.authenticated_userid(request)
-            return load_identity_from_db(request, userid)
+            if validate_userid(request, userid):
+                return userid
+            else:
+                return None
 
-        def authenticated_userid(self, request):
-            return self.identify(request).id
+        def identify(self, request):
+            userid = self.authenticated_userid
+            if userid is None:
+                return None
+            return load_identity_from_db(request, userid)
 
         def permits(self, request, context, permission):
             """ Allow access to everything if signed in. """