diff --git a/libtac/include/libtac.h b/libtac/include/libtac.h
index 8f2c9fbb..8795b82f 100644
--- a/libtac/include/libtac.h
+++ b/libtac/include/libtac.h
@@ -161,6 +161,7 @@ struct tac_session {
     uint32_t tac_session_id;
     bool tac_encryption;
     bool tac_multiplex;
+    bool tac_idle;			/* not exposed via API */
     uint8_t tac_priv_lvl;
     uint8_t tac_authen_method;
     uint8_t tac_authen_service;
diff --git a/libtac/lib/session.c b/libtac/lib/session.c
index fb316ccd..19292830 100644
--- a/libtac/lib/session.c
+++ b/libtac/lib/session.c
@@ -37,6 +37,7 @@ tac_session_alloc_extra(unsigned n)
     sess->tac_secret = NULL;
     sess->tac_session_id = magic();
     sess->tac_encryption = sess->tac_multiplex = false;
+    sess->tac_idle = true;
     sess->tac_priv_lvl = TAC_PLUS_PRIV_LVL_MIN;
     sess->tac_authen_service = TAC_PLUS_AUTHEN_SVC_PPP;
     sess->tac_authen_method = TAC_PLUS_AUTHEN_METH_TACACSPLUS;
diff --git a/libtac/lib/wrappers.c b/libtac/lib/wrappers.c
index fb21d63d..b4315bed 100644
--- a/libtac/lib/wrappers.c
+++ b/libtac/lib/wrappers.c
@@ -144,8 +144,14 @@ static void eventcb(struct bufferevent *bev, short events, void *ptr)
     if (sess->oob_cb) {
         if (events & BEV_EVENT_CONNECTED) {
                 TACDEBUG(LOG_DEBUG, "session %p connected", sess);
-		/* change for setup timeout to read/write timeout values */
-		tac_session_reset_timeouts(sess, true);
+		/*
+		 * if we had enqueued a request before the connect
+		 * completed, then the idle flag would be false
+		 * and we would want to reset the timer; if we didn't
+		 * have a request on-the-wire, then the timeout gets
+		 * cleared once we're connected.
+		 */
+		tac_session_reset_timeouts(sess, !sess->tac_idle);
 		(sess->oob_cb)(sess, &sess->context, CONNECTED);
         }
         if (events & BEV_EVENT_ERROR) {
@@ -241,6 +247,9 @@ static void readcb(struct bufferevent *bev, void *ptr)
     /* turn off timeouts */
     tac_session_reset_timeouts(sess, false);
 
+    /* received response, so connection is idle again */
+    sess->tac_idle = true;
+
     tac_parse_pkt(sess, ctx, pkt, ((i > 0) ? i : 0));
 
     free(pkt);
@@ -328,6 +337,9 @@ tac_authen_send_ev(struct tac_session *sess,
     ret = bufferevent_write_buffer(sess->bufev, evbuf);
     evbuffer_free(evbuf);
 
+    /* we have a request on-the-wire */
+    sess->tac_idle = false;
+
     TACDEBUG(LOG_DEBUG, "session %p: write status=%d", sess, ret);
 
     return (ret == 0);
@@ -367,6 +379,9 @@ tac_author_send_ev(struct tac_session *sess,
     ret = bufferevent_write_buffer(sess->bufev, evbuf);
     evbuffer_free(evbuf);
 
+    /* we have a request on-the-wire */
+    sess->tac_idle = false;
+
     TACDEBUG(LOG_DEBUG, "session %p write status=%d", sess, ret);
 
     return (ret == 0);
@@ -406,6 +421,9 @@ tac_acct_send_ev(struct tac_session *sess,
     ret = bufferevent_write_buffer(sess->bufev, evbuf);
     evbuffer_free(evbuf);
 
+    /* we have a request on-the-wire */
+    sess->tac_idle = false;
+
     TACDEBUG(LOG_DEBUG, "session %p write status=%d", sess, ret);
 
     return (ret == 0);
@@ -442,6 +460,9 @@ tac_cont_send_ev(struct tac_session *sess, const char *pass) {
     ret = bufferevent_write_buffer(sess->bufev, evbuf);
     evbuffer_free(evbuf);
 
+    /* we have a request on-the-wire */
+    sess->tac_idle = false;
+
     TACDEBUG(LOG_DEBUG, "session %p write status=%d", sess, ret);
 
     return (ret == 0);