// if the user sending the cookie did not log out and we are logging in
// again, then we need to make sure everything is cleaned up. we cleanup in all cases.
UserSession usess = ureq.getUserSession();
// prepare for a new user: clear all the instance vars of the userSession
// note: does not invalidate the session, since it is reused
usess.signOffAndClear();
// init the UserSession for the new User
// we can set the identity and finish the log in process
usess.setIdentity(identity);
setRolesFor(identity, usess);