On 01/12/2014 01:41 PM, David Woodhouse wrote: >> Indeed that was the issue and it seems it is now fixed by having >> ocserv use a compact authentication method (ask both username >> and password in one go) if the client does auth using the >> "Connection: Close" HTTP headers. That would work only if a single >> password is required from PAM, but I guess that's a reasonable >> trade-off. > > Hm, but that isn't a sufficient indicator that the client will *actually* > reuse the same connection. The connection might close anyway, if there is > a crap proxy or NAT timeout while the user is entering their response etc. > I think you have to be prepared to be stateless every time, keeping a pool > of active PAM sessions and a cookie to match client to session, and a > timeout/expiry for them. That would be tricky. Since ocserv is based on each client having a separate process. Being totally stateless would require adding logic for clients to "steal" the state of another process. I want to keep all clients isolated to keep a simple security model, so I'll try to avoid it if possible. regards, Nikos
