diff --git a/Resources/doc/features/user-context.rst b/Resources/doc/features/user-context.rst
index 05e21b67..05b25717 100644
--- a/Resources/doc/features/user-context.rst
+++ b/Resources/doc/features/user-context.rst
@@ -49,7 +49,7 @@ You need to configure a route for the context hash. It does not specify any
 controller, as the request listener will abort the request right after the
 firewall has been applied, but the route definition must exist. Use the same
 path as you specified in the caching proxy and make sure that this path is
-covered by your
+allowed for anonymous users and covered by your
 `firewall configuration <http://symfony.com/doc/current/book/security.html>`_:
 
 .. code-block:: yaml
@@ -58,6 +58,17 @@ covered by your
     user_context_hash:
         path: /_fos_user_context_hash
 
+If your access rules limit the whole site to logged in users, make sure to
+handle the user context URL like the login page:
+
+.. code-block:: yaml
+
+    # app/config/security.yml
+    access_control:
+        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/_fos_user_context_hash, roles: [IS_AUTHENTICATED_ANONYMOUSLY] }
+        - { path: ^/, roles: ROLE_USER }
+
 Finally, enable the subscriber with the default settings:
 
 .. code-block:: yaml
diff --git a/Resources/doc/spelling_word_list.txt b/Resources/doc/spelling_word_list.txt
index 11bec598..6aacfdf2 100644
--- a/Resources/doc/spelling_word_list.txt
+++ b/Resources/doc/spelling_word_list.txt
@@ -14,4 +14,5 @@ lookup
 lookups
 TTL
 multi
+login
 logout