Actually, as I keep investigating, it seems the issue is in good parts "caused" by the GUAC_AUTH cookie. If I delete that cookie between invocations, all URL calls seem to be really authenticated. Now to find a way to work around that cookie use/creation (or invalidate it). The cause, I believe, is that in order to get the terminal session started immediately, I have to create an on-the-fly user authorization with only one connection allowed (to be different for each invocation). Looks like that's a border case for Guacamole. If there are multiple connections, then there is a home page to pick from (which we precisely want to avoid to obtain true in-context launch) so authentication caching through the cookie is OK. I also see signs that some information is kept by the server for these sessions so I now also worry about the accumulation of them (memory) over time.
-- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
