> Indeed that was the issue and it seems it is now fixed by having > ocserv use a compact authentication method (ask both username > and password in one go) if the client does auth using the > "Connection: Close" HTTP headers. That would work only if a single > password is required from PAM, but I guess that's a reasonable > trade-off. Hm, but that isn't a sufficient indicator that the client will *actually* reuse the same connection. The connection might close anyway, if there is a crap proxy or NAT timeout while the user is entering their response etc. I think you have to be prepared to be stateless every time, keeping a pool of active PAM sessions and a cookie to match client to session, and a timeout/expiry for them. -- dwmw2
