Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
1999-07-08
2004-01-13
Jaroenchonwanit, Bunjob (Department: 2143)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C713S152000
Reexamination Certificate
active
06678731
ABSTRACT:
TECHNICAL FIELD
This invention relates to network access systems. More particularly, the invention relates to the control of access to a network by a user through an authentication server that generates an authentication ticket indicating whether the user has been authenticated.
BACKGROUND OF THE INVENTION
The recent growth in popularity of the Internet has significantly increased the number of Internet users and the number of Internet sites (also referred to as “web sites”). Web sites may provide various types of information to users, offer products or services for sale, and provide games and other forms of entertainment. Many web sites require users to “register” by providing information about themselves before the web server grants access to the site. This registration information may include the user's name, account number, address, telephone number, email address, computer platform, age, gender, or hobbies. The registration information collected by the web site may be necessary to complete transactions (such as commercial or financial transactions). Additionally, information can be collected which allows the web site operator to learn about the visitors to the site to better target its future marketing activities or adjust the information provided on the web site. The collected information may also be used to allow the web site to contact the user directly (e.g., via email) in the future to announce, for example, special promotions, new products, or new features of the web site.
When registering with a web site for the first time, the web site typically requests that the user select a login ID and an associated password. The login ID allows the web site to identify the user and retrieve the user's information during subsequent user visits to the web site. Generally, the login ID must be unique to the web site such that no two users have the same login ID. The password associated with the login ID allows the web site to authenticate the user during subsequent visits to the web site. The password also prevents others (who do not know the password) from accessing the web site using the user's login ID. This password protection is particularly important if the web site stores private or confidential information about the user, such as financial information or medial records.
If a user visits several different web sites, each web site may require entry of similar registration information about the user, such as the user's name, mailing address, and email address. This repeated entry of identical data is tedious when visiting multiple web sites in a short period of time. Many web sites require the user to register before accessing any information provided on the web site. Thus, the user must enter the requested registration information before they can determine whether the site contains any information of interest.
After registering with multiple web sites, the user must remember the specific login ID and password used with each web site or other Internet service. Without the correct login ID and password, the user must re-enter the registration information. A particular user is likely to have different login IDs and associated passwords on different web sites. For example, a user named Bob Smith may select “smith” as his login ID for a particular site. If the site already has a user with a login ID of “smith” or requires a login ID of at least six characters, then the user must select a different login ID. After registering at numerous web sites, Bob Smith may have a collection of different login IDs, such as: smith, smith
1
, bsmith, smithb, bobsmith, bob_smith, and smithbob. Further, different passwords may be associated with different login IDs due to differing password requirements of the different web sites (e.g., password length requirements or a requirement that each password include at least one numeric character). Thus, Bob Smith must maintain a list of web sites, login IDs, and associated passwords for all sites that he visits regularly.
SUMMARY OF THE INVENTION
The invention provides a mechanism for controlling access to a network server (such as a web server) through the use of an authentication ticket. A web user can maintain a single login ID (and associated password) that provides access to multiple web servers or services. Once the user has logged into an authentication server, it is not necessary to re-enter the login ID or user information when accessing other affiliated web servers. The single login ID has an associated user profile that contains the registration information typically requested by web servers during a user registration process. The authentication server authenticates each login ID using the associated password and generates an authentication ticket indicating whether the user is authenticated (i.e., whether the user should be granted access to the web server). The individual web servers are not required to authenticate the individual users. Further, to protect the user's password, the individual web servers do not receive the user's password. Instead, the individual web servers receive an authentication ticket indicating whether the user was authenticated by the authentication server and how long since the user was last authenticated. The authentication ticket includes two time stamps: one indicating the last time the user's login ID and password were physically typed by the user and a second time stamp indicating the last time the user's login information was refreshed by the authentication server. This “refresh” of the user's login information may be performed silently or by having the user type the login information.
An implementation of the invention receives a request from a network server to authenticate a user who is seeking access to the network server. The process determines whether the user was already authenticated by the authentication server. If the user was already authenticated, then the network server is notified that the user is authenticated through the use of an authentication ticket. If the user was not already authenticated by the authentication server, then login information is retrieved from the user and compared to authentication information maintained by the authentication server. The network server is notified (through the use of an authentication ticket) that the user is authenticated if the retrieved login information matches the authentication information.
Other aspects of the invention provide for an authentication ticket that does not contain any reference to the user's login information.
In accordance with another aspect of the invention, the authentication ticket includes a first time stamp indicating the last time the user's login information was refreshed, and a second time stamp indicating the last time the user physically entered their login information.
In one embodiment of the invention, the network server is a web server coupled to the Internet.
REFERENCES:
patent: 5586260 (1996-12-01), Hu
patent: 5590199 (1996-12-01), Krajewski et al.
patent: 5649099 (1997-07-01), Theimer et al.
patent: 5684950 (1997-11-01), Dare et al.
patent: 5778065 (1998-07-01), Hauser et al.
patent: 6088450 (2000-07-01), Davis et al.
patent: 6105131 (2000-08-01), Carroll
patent: 6148402 (2000-11-01), Campbell
patent: 6189103 (2001-02-01), Nevarez et al.
patent: 6198824 (2001-03-01), Shambroom
patent: 6256741 (2001-07-01), Stubblebine
patent: 6263432 (2001-07-01), Sasmazel et al.
patent: 6278705 (2001-08-01), Chau et al.
patent: 6279111 (2001-08-01), Jensenworth et al.
patent: 6292895 (2001-09-01), Baltzley
patent: 6301658 (2001-10-01), Koehler
patent: 6317838 (2001-11-01), Baize
patent: 6321333 (2001-11-01), Murray
patent: 6381631 (2002-04-01), van Hoff
patent: 6405318 (2002-06-01), Rowland
patent: 6516416 (2003-02-01), Gregg et al.
patent: 2002/0002688 (2002-01-01), Gregg et al.
Kohl et al., “The Kerberos Network Authentication Server (V5)” Network Working Group RFC 1510, www.CIC.ohio.edu, 9/199 5 pages.
Anderson Darren L.
Battle Ryan W.
Howard John Hal
Kunins Jeffrey C.
Metral Max E.
Jaroenchonwanit Bunjob
Lee & Hayes PLLC
Microsoft Corporation
LandOfFree
Controlling access to a network server using an... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Controlling access to a network server using an..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Controlling access to a network server using an... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3194082