Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing
Reexamination Certificate
1999-07-28
2002-12-03
Vu, Viet D. (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
C709S202000, C709S217000, C709S223000
Reexamination Certificate
active
06490624
ABSTRACT:
FIELD OF THE INVENTION
This invention generally relates to information retrieval over a network, and, more specifically, to a method, apparatus, and product for managing one or more sessions in a stateless network system.
BACKGROUND OF THE INVENTION
Computer networks have become ubiquitous in business, industry, and education. In one approach, a network is configured with one or more user accounts, each of which is uniquely associated with a human network user or host computer. The network also has one or more resources, such as application programs that provide various computing functions, which are available to all users. In this approach, a user logs into his or her user account, selects a desired application. A disadvantage of this approach is that every user has the same rights to access any of the network resources.
Development of the globally accessible, packet-switched network known as the Internet has enabled network resources, accounts and applications to become available worldwide. Development of hypertext protocols that implement the World Wide Web (“The Web”) is enabling networks to serve as a platform for global electronic commerce. In particular, the Web is enabling the easy exchange of information between businesses and their customers, suppliers and partners.
Businesses are rushing to publish information on the Web and just as quickly stumbling into several roadblocks. For example, some information is valuable and sensitive, and needs to be made available only to selected users. Thus, there is a need to provide selective access to network resources and information over the Web.
This need exists in the context of internal Web networks that are available to employees of an organization, called Intranets, as well as Web networks and resources that are available to external customers, suppliers and partners of the organization, called extranets. Extranet users may require information from a large number of diverse sources, for example, product catalogs, customer databases, or inventory systems. There may be millions of potential users, the number of which grows dramatically as an organization prospers. Thus, there is a need for a large-scale system that can provide selective access to a large number of information sources for a large number of users.
Because some of the information sources are sensitive, there is a need to provide secure access to the information. Current networks and Web systems, including Intranets and extranets, are expensive and complex to implement. These technologies also change rapidly. There is a need for any information access method or system to integrate with and use existing equipment, software and systems. There is also a need for method and system that is flexible or adaptable to changing technologies and standards.
One approach to some of the foregoing problems and needs has been to provide each network resource or application program with a separate access control list. The access control list identifies users or hosts that are authorized to access a particular application. As new users or hosts are added to the network, the access control lists grow, making security management more complicated and difficult. Use of a large number of separate lists also makes the user experience tedious and unsatisfactory.
Another disadvantage of the foregoing approaches is duplication of management processes. To add new users to the system, a network administrator must repeat similar access processes for each application or resource to be made available to the new users. The redundancy of these processes, combined with rapid growth in the number of users, can make the cost of deploying, managing and supporting a system unacceptably high.
Thus, there is a need for a mechanism to govern access to one or more information resources in which selective access is given to particular users.
There is also a need for such a mechanism that is equally adaptable to an internal network environment and to an external network environment. There is a further need for such a mechanism that is easy to configure and re-configure as new users and resources become part of the system. There is still another need for such a mechanism that is simple to administer.
A related approach is described in prior application Ser. No. 09/113,609, filed Jul. 10, 1998, now U.S. Pat. No. 6,182,142 entitled “Controlling Access to Protected Information Resources,” and naming Teresa Win and Emilio Belmonte as inventors. In an embodiment of the system described in such prior application, a client process interacts with one or more server processes to obtain authorization to access protected resources. These interactions generally occur during one or more HTTP sessions that are established between the client and the server.
One problem of this configuration is how to store and manage information about the sessions. Since HTTP is a stateless protocol, it does not inherently have a mechanism for keeping track of information from session to session. A prior approach to this problem involves creating, storing, and accessing locally stored files called “cookies.” A cookie is a text file, created and stored at the client, that contains information that identifies a particular session. In one embodiment of the system described in the above-referenced prior application, a cookie is created and stored by a browser each time the browser accesses and interacts with an authentication server.
Each cookie includes an expiration time value. If the client attempts to access a protected resource after the time represented by the expiration time value, the client must re-authenticate itself with the authentication server.
Although this approach provides a modicum of security, it is subject to attack. For example, a cookie can be copied and moved to another computer without authorization.
One workaround is to create cookies that have an expiration time of “0.” Such cookies never expire, and are stored only in volatile memory at the client. Thus, security is improved. However, this approach is impractical, because it prevents the administrator of the system from limiting the amount of time after which a user is required to undergo authentication. Potentially, the user could be logged in and authenticated for an indefinite and perhaps unlimited period of time. Further, if the authenticated user leaves his or her workstation unattended, the user remains logged in, and an interloper could access the system without authorization.
Based on the foregoing, there is a clear need in this field for an improved way to manage client-server sessions in networks that use stateless protocols.
SUMMARY OF THE INVENTION
The foregoing needs, and other needs and objectives that will become apparent from the description herein, are achieved by the present invention, which comprises, in one aspect, a method of managing sessions in a stateless network system that includes a plurality of first servers each controlling access by one of a plurality of clients to resources of a plurality of second servers. In one embodiment, the method involves creating a session manager that is bound to the first server. One of the first servers receives a request of the client to obtain one of the resources of one of the second servers. The session manager determines from information stored therein whether the client is part of an authenticated session with any of the first servers. The session manager grants the client access to the resource only when the information in the session manager indicates that the client is part of an authenticated session.
In one feature, the determining step involves determining, at the session manager from information stored therein and based on a session identifier that is generated by the first server and provided to the session manager, whether the session identifier is valid; and granting the client access to the resource only when the session identifier indicates that the client is part of a valid session.
In another feature, the determining step involves determining, at the session manager from information store
Belmonte Emilio
Sampson Lawrence C.
Bingham Marcel K.
Entrust, Inc.
Hickman Palermo & Truong & Becker LLP
Vu Viet D.
LandOfFree
Session management in a stateless network system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Session management in a stateless network system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Session management in a stateless network system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2988718