on some user:passwd if the encoded string is not multiple of 24bits, appending '=' cures.

Logged In: YES 
user_id=147070

cgi_client.py:
cookie = cookie['roundup_user'].value
user, password = base64.decodestring(cookie+'=').split(':')
HERE______________________________________/!!!!
# make sure the user exists

Logged In: YES 
user_id=6405

Hrm - I'm a little concerned. I haven't looked at the code 
yet, but I recall that that string is the output of 
passing user:passedword to base64.encodestring. I must be 
trucating the string somewhere...

Logged In: YES 
user_id=6405

I've committed a change to the cvs that may fix this. I've 
switched to using binascii.[a2b|b2a]_base64 and am using 
strip() instead of [:-1]. I tested with:

>>> import binascii
>>> binascii.a2b_base64(binascii.b2a_base64('a'))
'a'
>>> binascii.a2b_base64(binascii.b2a_base64('ab'))
'ab'
>>> binascii.a2b_base64(binascii.b2a_base64('abc'))
'abc'
>>> binascii.a2b_base64(binascii.b2a_base64('abcd'))
'abcd'


so if it still breaks, there's something else doing a 
truncation of the data.

Logged In: YES 
user_id=6405

*ahem*
sorry, the test I did was actually:
>>> import binascii
>>> binascii.a2b_base64(binascii.b2a_base64('a').strip())
'a'
>>> binascii.a2b_base64(binascii.b2a_base64('ab').strip())
'ab'
>>> binascii.a2b_base64(binascii.b2a_base64('abc').strip())
'abc'
>>> 
binascii.a2b_base64(binascii.b2a_base64('abcd').strip())

Logged In: YES 
user_id=147070

ahem too still the same. and your test also works with base64. but lynx does not like it. 
maybe the cookies value should be quoted for the trailing "=" to survive.
 

Logged In: YES 
user_id=147070

the cvs version works.

Logged In: YES 
user_id=147070

sorry for the hassle it does not work (only with abc as password).
acchording to my rfc understanding and to the Cookie module, Cookies with "=" in the value must be quoted. cgi_client.py line 599 (guessed).

Does IE quote the string, tolerate this or is anyone using 3 letter passwords ?