The following example checks if the user has entered the string good as the token number. If the value of the token number is anything other than good, the plugin displays a prompt to the user up to three times. After three unsuccessful attempts, the plugin terminates the connection.

def authenticate(self, key_value_pairs, cookie):
    if key_value_pairs.get('token') == "good":
        return {'verdict': 'ACCEPT'}

    cookie['cnt'] = cookie.get('cnt', 0) + 1
    if cookie['cnt'] > 3:
        return {'verdict': 'DENY'}

    return {'verdict': 'NEEDINFO',
            'question': ('token', 'Enter token number: '),
            'cookie': cookie

The following example shows how to use the cookie to transfer data from the authenticate method to the session_ended method.

import sys

class Plugin(object):

    def authenticate(self, session_id, cookie, protocol, 
    connection_name, client_ip, client_port, key_value_pairs):
        token = key_value_pairs.pop('token', None)

    # Accept the connection if the user provides a token number
    if token:
        # Write code here that validates the token number and 
        retrieves the username and usergroups of the user
        # We add the client_ip to the 'cookie' so it will be 
        available in the session_ended method as well
        return {
            'verdict': 'ACCEPT',
            'gateway_user': 'username-received-from-third-party',
            'gateway_groups': [
            'additional_metadata': token,
            'cookie': {'client_ip': client_ip}

    # Display a prompt to the user to request a token number
        return {
            'verdict': 'NEEDINFO',
            'question': ('token', 'Enter your token number: ')

    def session_ended(self, session_id, cookie):
        session_details = ','.join([
            '{0}={1}'.format(key, cookie[key]) for key in 

    # Send a log message when the session ends, including the 
    # client_ip address received in the cookie
    print("Session ended; session_id='{0}', session_details='{1}'".
        format(session_id, session_details))