Python Server for multiple clients with or without XMLRPC

Question

I made a set of XMLRPC client-server programs in python and set up a little method for authenticating my clients. However, after coding pretty much the whole thing, I realized that once a client was authenticated, the flag I had set for it was global in my class ie as long as one client is authenticated, all clients are authenticated. I don't know why, but I was under the impression that whenever SimpleXMLRPCServer was connected to by a client, it would create a new set of variables in my program.

Basically the way it's set up now is

class someclass:
    authenticate(self, username, pass):
        #do something here
        if(check_for_authentication(username, pass))
             self.authenticated=True
    other_action(self, vars):
        if authenticated:
            #do whatever
        else:
            return "Not authorized."

server=SimpleXMLRPCServer.SimpleXMLRPCServer("0.0.0.0", 8000)
server.register_instance(someclass())
server.serve_forever()

I need either a way to hack this into what I am looking for (ie the authenticated flag needs to be set for each client that connects), or another protocol that can do this more easily. After some searching I have been looking at twisted, but since this is already written, I'd rather modify it than have to rewrite it. I know for now I could just always get the username and password from the client, but in the intrest of resources (having to authenticate on every request) and saving bandwidth (which some of my clients have in very limited quantities), I'd rather not do that.

Also, this is my first time trying to secure something like this(and I am not trained in internet security), so if I am overlooking some glaring error in my logic, please tell me. Basically, I can't have someone sending me fake variables in "other_actions"

Answer 1

Something like this would work:

class SomeClass(object):
    authenticated = {}
    def authenticate(self, username, password):
        #do something here
        if authenticate(username, password):
            # make unique token can probably be just a hash
            # of the millisecond time and the username
            self.authenticated[make_unique_token(username)] = True
    def other_action(self, vars):
        # This will return True if the user is authenticated
        # and None otherwise, which evaluates to False
        if authenticated.get(vars.get('authentication-token')):
            #do whatever
            pass
        else:
            return "Not authorized."

server=SimpleXMLRPCServer.SimpleXMLRPCServer("0.0.0.0", 8000)
server.register_instance(someclass())
server.serve_forever()

You just need to pass them an authentication token once they've logged in.

I assume you know you can't actually use pass as a variable name. Please remember to accept answers to you questions (I noticed you haven't for your last several).

Answer 2

You have to decide. If you really want to use one instance for all clients, you have to store the "authenticated" state somewhere else. I am not familiar with SimpleXMLRPCServer(), but if you could get the conection object somewhere, or at least its source address, you could establish a set() where all authenticated clients/connections/whatever are registered.