diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c
index f80bec85..d39ec751 100644
--- a/src/sec-mod-auth.c
+++ b/src/sec-mod-auth.c
@@ -99,7 +99,7 @@ static int generate_cookie(sec_mod_st * sec, client_entry_st * entry)
 }
 
 static
-int send_sec_auth_reply(sec_mod_st * sec, client_entry_st * entry, AUTHREP r)
+int send_sec_auth_reply(int cfd, sec_mod_st * sec, client_entry_st * entry, AUTHREP r)
 {
 	SecAuthReplyMsg msg = SEC_AUTH_REPLY_MSG__INIT;
 	int ret;
@@ -127,7 +127,7 @@ int send_sec_auth_reply(sec_mod_st * sec, client_entry_st * entry, AUTHREP r)
 		msg.dtls_session_id.data = entry->dtls_session_id;
 		msg.dtls_session_id.len = sizeof(entry->dtls_session_id);
 
-		ret = send_msg(entry, sec->fd, SM_CMD_AUTH_REP,
+		ret = send_msg(entry, cfd, SM_CMD_AUTH_REP,
 			       &msg,
 			       (pack_size_func)
 			       sec_auth_reply_msg__get_packed_size,
@@ -135,7 +135,7 @@ int send_sec_auth_reply(sec_mod_st * sec, client_entry_st * entry, AUTHREP r)
 	} else {
 		msg.reply = AUTH__REP__FAILED;
 
-		ret = send_msg(entry, sec->fd, SM_CMD_AUTH_REP,
+		ret = send_msg(entry, cfd, SM_CMD_AUTH_REP,
 			       &msg,
 			       (pack_size_func)
 			       sec_auth_reply_msg__get_packed_size,
@@ -152,7 +152,7 @@ int send_sec_auth_reply(sec_mod_st * sec, client_entry_st * entry, AUTHREP r)
 }
 
 static
-int send_sec_auth_reply_msg(sec_mod_st * sec, client_entry_st * e)
+int send_sec_auth_reply_msg(int cfd, sec_mod_st * sec, client_entry_st * e)
 {
 	SecAuthReplyMsg msg = SEC_AUTH_REPLY_MSG__INIT;
 	char tmp[MAX_MSG_SIZE] = "";
@@ -173,7 +173,7 @@ int send_sec_auth_reply_msg(sec_mod_st * sec, client_entry_st * e)
 	msg.sid.data = e->sid;
 	msg.sid.len = sizeof(e->sid);
 
-	ret = send_msg(e, sec->fd, SM_CMD_AUTH_REP, &msg,
+	ret = send_msg(e, cfd, SM_CMD_AUTH_REP, &msg,
 		       (pack_size_func) sec_auth_reply_msg__get_packed_size,
 		       (pack_func) sec_auth_reply_msg__pack);
 	if (ret < 0) {
@@ -253,12 +253,12 @@ static int check_user_group_status(sec_mod_st * sec, client_entry_st * e,
  * @result: the auth result
  */
 static
-int handle_sec_auth_res(sec_mod_st * sec, client_entry_st * e, int result)
+int handle_sec_auth_res(int cfd, sec_mod_st * sec, client_entry_st * e, int result)
 {
 	int ret;
 
 	if (result == ERR_AUTH_CONTINUE) {
-		ret = send_sec_auth_reply_msg(sec, e);
+		ret = send_sec_auth_reply_msg(cfd, sec, e);
 		if (ret < 0) {
 			e->status = PS_AUTH_FAILED;
 			seclog(sec, LOG_ERR, "could not send reply auth cmd.");
@@ -268,7 +268,7 @@ int handle_sec_auth_res(sec_mod_st * sec, client_entry_st * e, int result)
 	} else if (result == 0) {
 		e->status = PS_AUTH_COMPLETED;
 
-		ret = send_sec_auth_reply(sec, e, AUTH__REP__OK);
+		ret = send_sec_auth_reply(cfd, sec, e, AUTH__REP__OK);
 		if (ret < 0) {
 			e->status = PS_AUTH_FAILED;
 			seclog(sec, LOG_ERR, "could not send reply auth cmd.");
@@ -280,7 +280,7 @@ int handle_sec_auth_res(sec_mod_st * sec, client_entry_st * e, int result)
 		e->status = PS_AUTH_FAILED;
 		add_ip_to_ban_list(sec, e->ip, time(0) + sec->config->min_reauth_time);
 
-		ret = send_sec_auth_reply(sec, e, AUTH__REP__FAILED);
+		ret = send_sec_auth_reply(cfd, sec, e, AUTH__REP__FAILED);
 		if (ret < 0) {
 			seclog(sec, LOG_ERR, "could not send reply auth cmd.");
 			return ret;
@@ -299,10 +299,11 @@ int handle_sec_auth_res(sec_mod_st * sec, client_entry_st * e, int result)
 
 /* opens or closes a session.
  */
-int handle_sec_auth_session_cmd(sec_mod_st * sec, const SecAuthSessionMsg * req,
-				unsigned cmd, client_entry_st **r_entry)
+int handle_sec_auth_session_cmd(int cfd, sec_mod_st * sec, const SecAuthSessionMsg * req,
+				unsigned cmd)
 {
 	client_entry_st *e;
+	void *lpool;
 	int ret;
 
 	if (req->sid.len != SID_SIZE) {
@@ -318,9 +319,7 @@ int handle_sec_auth_session_cmd(sec_mod_st * sec, const SecAuthSessionMsg * req,
 	}
 
 	if (cmd == SM_CMD_AUTH_SESSION_OPEN) {
-		if (r_entry) {
-			*r_entry = e;
-		}
+		SecAuthSessionReplyMsg rep = SEC_AUTH_SESSION_REPLY_MSG__INIT;
 
 		if (module == NULL || module->open_session == NULL)
 			return 0;
@@ -330,9 +329,31 @@ int handle_sec_auth_session_cmd(sec_mod_st * sec, const SecAuthSessionMsg * req,
 			e->status = PS_AUTH_FAILED;
 			seclog(sec, LOG_ERR, "could not open session.");
 			del_client_entry(sec, e);
-			return ret;
+			rep.reply = AUTH__REP__FAILED;
+		} else {
+			e->have_session = 1;
+			rep.reply = AUTH__REP__OK;
 		}
-		e->have_session = 1;
+
+		lpool = talloc_new(e);
+		if (lpool == NULL) {
+			return ERR_MEM;
+		}
+
+		ret = sec->config_module->get_sup_config(sec->config, e, &rep, lpool);
+		if (ret < 0) {
+			seclog(sec, LOG_ERR, "error reading additional configuration for '%s'", e->username);
+			talloc_free(lpool);
+			return ERR_READ_CONFIG;
+		}
+
+		ret = send_msg(lpool, cfd, SM_CMD_AUTH_SESSION_REPLY, &rep,
+				(pack_size_func) sec_auth_session_reply_msg__get_packed_size,
+				(pack_func) sec_auth_session_reply_msg__pack);
+		if (ret < 0) {
+			seclog(sec, LOG_WARNING, "sec-mod error in sending session reply");
+		}
+		talloc_free(lpool);
 	} else {
 		del_client_entry(sec, e);
 	}
@@ -371,7 +392,7 @@ int handle_sec_auth_stats_cmd(sec_mod_st * sec, const CliStatsMsg * req)
 	return 0;
 }
 
-int handle_sec_auth_cont(sec_mod_st * sec, const SecAuthContMsg * req)
+int handle_sec_auth_cont(int cfd, sec_mod_st * sec, const SecAuthContMsg * req)
 {
 	client_entry_st *e;
 	int ret;
@@ -416,10 +437,10 @@ int handle_sec_auth_cont(sec_mod_st * sec, const SecAuthContMsg * req)
 		       e->username);
 	}
 
-	return handle_sec_auth_res(sec, e, ret);
+	return handle_sec_auth_res(cfd, sec, e, ret);
 }
 
-int handle_sec_auth_init(sec_mod_st * sec, const SecAuthInitMsg * req)
+int handle_sec_auth_init(int cfd, sec_mod_st * sec, const SecAuthInitMsg * req)
 {
 	int ret = -1;
 	client_entry_st *e;
@@ -513,7 +534,7 @@ int handle_sec_auth_init(sec_mod_st * sec, const SecAuthInitMsg * req)
 
 	ret = 0;
  cleanup:
-	return handle_sec_auth_res(sec, e, ret);
+	return handle_sec_auth_res(cfd, sec, e, ret);
 }
 
 void sec_auth_user_deinit(sec_mod_st * sec, client_entry_st * e)
diff --git a/src/sec-mod.c b/src/sec-mod.c
index c31d0120..9b3015dc 100644
--- a/src/sec-mod.c
+++ b/src/sec-mod.c
@@ -167,7 +167,7 @@ int load_pins(struct cfg_st *config, struct pin_st *s)
 	return 0;
 }
 
-static int handle_op(void *pool, sec_mod_st * sec, uint8_t type, uint8_t * rep,
+static int handle_op(void *pool, int cfd, sec_mod_st * sec, uint8_t type, uint8_t * rep,
 		     size_t rep_size)
 {
 	SecOpMsg msg = SEC_OP_MSG__INIT;
@@ -176,7 +176,7 @@ static int handle_op(void *pool, sec_mod_st * sec, uint8_t type, uint8_t * rep,
 	msg.data.data = rep;
 	msg.data.len = rep_size;
 
-	ret = send_msg(pool, sec->fd, type, &msg,
+	ret = send_msg(pool, cfd, type, &msg,
 		       (pack_size_func) sec_op_msg__get_packed_size,
 		       (pack_func) sec_op_msg__pack);
 	if (ret < 0) {
@@ -187,7 +187,7 @@ static int handle_op(void *pool, sec_mod_st * sec, uint8_t type, uint8_t * rep,
 }
 
 static
-int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
+int process_packet(void *pool, int cfd, sec_mod_st * sec, cmd_request_t cmd,
 		   uid_t uid, uint8_t * buffer, size_t buffer_size)
 {
 	unsigned i;
@@ -244,7 +244,7 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
 			return -1;
 		}
 
-		ret = handle_op(pool, sec, cmd, out.data, out.size);
+		ret = handle_op(pool, cfd, sec, cmd, out.data, out.size);
 		gnutls_free(out.data);
 
 		return ret;
@@ -276,7 +276,7 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
 				return -1;
 			}
 
-			ret = handle_sec_auth_init(sec, auth_init);
+			ret = handle_sec_auth_init(cfd, sec, auth_init);
 			sec_auth_init_msg__free_unpacked(auth_init, &pa);
 			return ret;
 		}
@@ -291,16 +291,13 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
 				return -1;
 			}
 
-			ret = handle_sec_auth_cont(sec, auth_cont);
+			ret = handle_sec_auth_cont(cfd, sec, auth_cont);
 			sec_auth_cont_msg__free_unpacked(auth_cont, &pa);
 			return ret;
 		}
 	case SM_CMD_AUTH_SESSION_OPEN:
 	case SM_CMD_AUTH_SESSION_CLOSE:{
 			SecAuthSessionMsg *msg;
-			void *lpool = NULL;
-			SecAuthSessionReplyMsg rep = SEC_AUTH_SESSION_REPLY_MSG__INIT;
-			client_entry_st *e = NULL;
 
 			if (uid != 0) {
 				seclog(sec, LOG_INFO, "received session open/close from unauthorized uid (%u)\n", (unsigned)uid);
@@ -315,38 +312,9 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
 				return -1;
 			}
 
-			ret = handle_sec_auth_session_cmd(sec, msg, cmd, &e);
+			ret = handle_sec_auth_session_cmd(cfd, sec, msg, cmd);
 			sec_auth_session_msg__free_unpacked(msg, &pa);
 
-			if (cmd == SM_CMD_AUTH_SESSION_OPEN) {
-				if (ret < 0 || e == NULL)
-					rep.reply = AUTH__REP__FAILED;
-				else
-					rep.reply = AUTH__REP__OK;
-
-				if (sec->config_module && e != NULL) {
-					lpool = talloc_new(e);
-					if (lpool == NULL) {
-						return ERR_MEM;
-					}
-
-					ret = sec->config_module->get_sup_config(sec->config, e, &rep, lpool);
-					if (ret < 0) {
-						seclog(sec, LOG_ERR, "error reading additional configuration for '%s'", e->username);
-						talloc_free(lpool);
-						return ERR_READ_CONFIG;
-					}
-				}
-
-				ret = send_msg(pool, sec->fd, SM_CMD_AUTH_SESSION_REPLY, &rep,
-					(pack_size_func) sec_auth_session_reply_msg__get_packed_size,
-					(pack_func) sec_auth_session_reply_msg__pack);
-				if (ret < 0) {
-					seclog(sec, LOG_WARNING, "sec-mod error in sending session reply");
-				}
-				talloc_free(lpool);
-			}
-
 			return ret;
 		}
 	default:
@@ -405,14 +373,13 @@ static void check_other_work(sec_mod_st *sec)
 	}
 }
 
-/* serves a new requst.
- * the provided buffer is also pool for other allocations */
 static
 void serve_request(sec_mod_st *sec, uid_t uid, int cfd, uint8_t *buffer, unsigned buffer_size)
 {
 	int ret, e;
 	unsigned cmd, length;
 	uint16_t l16;
+	void *pool = buffer;
 
 	/* read request */
 	ret = force_read_timeout(cfd, buffer, 3, MAX_WAIT_SECS);
@@ -443,13 +410,13 @@ void serve_request(sec_mod_st *sec, uid_t uid, int cfd, uint8_t *buffer, unsigne
 		goto leave;
 	}
 
-	sec->fd = cfd;
-	ret = process_packet(buffer, sec, cmd, uid, buffer, ret);
+	ret = process_packet(pool, cfd, sec, cmd, uid, buffer, ret);
 	if (ret < 0) {
 		seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
 	}
 	
  leave:
+ 	talloc_free(pool);
 	close(cfd);
 	return;
 }
diff --git a/src/sec-mod.h b/src/sec-mod.h
index 96ae66bd..cbc7a75e 100644
--- a/src/sec-mod.h
+++ b/src/sec-mod.h
@@ -36,8 +36,6 @@ typedef struct sec_mod_st {
 	struct htable *ban_db;
 
 	struct config_mod_st *config_module;
-
-	int fd;
 } sec_mod_st;
 
 
@@ -93,9 +91,9 @@ void cleanup_client_entries(sec_mod_st *sec);
 
 void sec_auth_init(void *pool, struct cfg_st *config);
 
-int handle_sec_auth_init(sec_mod_st *sec, const SecAuthInitMsg * req);
-int handle_sec_auth_cont(sec_mod_st *sec, const SecAuthContMsg * req);
-int handle_sec_auth_session_cmd(sec_mod_st * sec, const SecAuthSessionMsg * req, unsigned cmd, client_entry_st **_e);
+int handle_sec_auth_init(int cfd, sec_mod_st *sec, const SecAuthInitMsg * req);
+int handle_sec_auth_cont(int cfd, sec_mod_st *sec, const SecAuthContMsg * req);
+int handle_sec_auth_session_cmd(int cfd, sec_mod_st *sec, const SecAuthSessionMsg *req, unsigned cmd);
 int handle_sec_auth_stats_cmd(sec_mod_st * sec, const CliStatsMsg * req);
 void sec_auth_user_deinit(sec_mod_st * sec, client_entry_st * e);