System and method for single sign-on session management without central server

US 10,432,607 B2
Filed: 10/30/2015
Issued: 10/01/2019
Est. Priority Date: 02/19/2002
Status: Active Grant

First Claim

Patent Images

1. A computer server configured for single sign-on session management, the computer server comprising:

at least one communication interface coupled to at least one protected web resource;

one or more computer processors, operatively connected with the at least one communication interface, restricting user access to the at least one protected web resource;

at least one plug-in module residing on the one or more computer processors and being configured to;

receive, from a first client device, a first request to access the at least one protected web resource, the first request comprising first user credentials;

determine, completely within the computer server and independent of any other server, whether the first user credentials can be authenticated;

when the first user credentials cannot be authenticated, deny the first request or perform further authentication;

when the first user credentials are authenticated, authorize the first request, create first session credentials for the first client device, and transmit the created first session credentials to the first client device;

the at least one plug-in module being further configured to;

receive, from the first client device or a second client device, a second request to access the at least one protected web resource, the second request comprising the first session credentials or second session credentials; and

validate, completely within the computer server and independent of any other server, the received first session credentials or the received second session credentials;

when the received first session credentials or the received second session credentials are validated, authorize the second request, andwhen the received first session credentials or the received second session credentials cannot be validated, deny the second request or perform further authentication.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for single sign-on session management. Functions of session management and client log-in, normally handled by separate system servers, are incorporated as plug-in modules on individual web content servers. In this manner, network traffic to grant and validate client user credentials is reduced or minimized.

51 Citations

20 Claims

1. A computer server configured for single sign-on session management, the computer server comprising:
- at least one communication interface coupled to at least one protected web resource;
  
  one or more computer processors, operatively connected with the at least one communication interface, restricting user access to the at least one protected web resource;
  
  at least one plug-in module residing on the one or more computer processors and being configured to;
  
  receive, from a first client device, a first request to access the at least one protected web resource, the first request comprising first user credentials;
  
  determine, completely within the computer server and independent of any other server, whether the first user credentials can be authenticated;
  
  when the first user credentials cannot be authenticated, deny the first request or perform further authentication;
  
  when the first user credentials are authenticated, authorize the first request, create first session credentials for the first client device, and transmit the created first session credentials to the first client device;
  
  the at least one plug-in module being further configured to;
  
  receive, from the first client device or a second client device, a second request to access the at least one protected web resource, the second request comprising the first session credentials or second session credentials; and
  
  validate, completely within the computer server and independent of any other server, the received first session credentials or the received second session credentials;
  
  when the received first session credentials or the received second session credentials are validated, authorize the second request, andwhen the received first session credentials or the received second session credentials cannot be validated, deny the second request or perform further authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer server of claim 1, wherein the at least one plug-in module comprises a log-in module.
  - 3. The computer server of claim 1, wherein the at least one plug-in module comprises a session management module.
  - 4. The computer server of claim 1, wherein the first user credentials comprise user log-in information.
  - 5. The computer server of claim 1, wherein the first user credentials are authenticated based on a list of authorized users from a global repository.
  - 6. The computer server of claim 1, wherein the created first session credentials are contained within a token or cookie.
  - 7. The computer server of claim 1, wherein the created first session credentials comprises one or more time values selected from a group consisting of a session time out value and a maximum idle time value.
  - 8. The computer server of claim 1, wherein the created first session credentials are encrypted before being transmitted to the first client device.
  - 9. The computer server of claim 1, being further configured to decrypt the received first session credentials or the received second session credentials.
  - 10. The computer server of claim 1, being further configured to update a time value within the received first session credentials or the received second session credentials when the received first session credentials or the received second session credentials are validated.

11. A computer-implemented method for single sign-on session management on a computer server, the method comprising:
- restricting, by the computer server, user access to at least one protected web resource;
  
  receiving, from a first client device, a first request to access the at least one protected web resource, the first request comprising first user credentials;
  
  determining, completely within the computer server and independent of any other server, whether the first user credentials can be authenticated;
  
  when the first user credentials cannot be authenticated, denying the first request or performing further authentication;
  
  when the first user credentials are authenticated, authorizing the first request, creating first session credentials for the first client device, and transmitting the created first session credentials to the first client device;
  
  receiving, from the first client device or a second client device, a second request to access the at least one protected web resource, the second request comprising the first session credentials or second session credentials; and
  
  validating, completely within the computer server and independent of any other server, the received first session credentials or the received second session credentials;
  
  when the received first session credentials or the received second session credentials are validated, authorizing the second request, andwhen the received first session credentials or the received second session credentials cannot be validated, denying the second request or performing further authentication.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer-implemented method of claim 11, wherein the first user credentials comprise user log-in information.
  - 13. The computer-implemented method of claim 11, further comprising:
    - authenticating the first user credentials based on a list of authorized users from a global repository.
  - 14. The computer-implemented method of claim 11, wherein the created first session credentials are contained within a token or cookie.
  - 15. The computer-implemented method of claim 11, wherein the created first session credentials comprises one or more time values selected from a group consisting of a session time out value and a maximum idle time value.
  - 16. The computer-implemented method of claim 11, further comprising:
    - encrypting the created first session credentials before their transmission to the first client device.
  - 17. The computer-implemented method of claim 11, further comprising:
    - decrypting the received first session credentials or the received second session credentials.
  - 18. The computer-implemented method of claim 11, further comprising:
    - validating a time value within the received first session credentials or the received second session credentials.
  - 19. The computer-implemented method of claim 11, further comprising:
    - updating a time value within the received first session credentials or the received second session credentials when the received first session credentials or the received second session credentials are validated.

20. A non-transitory computer-readable medium comprising code for single sign-on session management, the code comprising instructions executable by a computer server to:
- restrict, by the computer server, user access to at least one protected web resource;
  
  receive, from a first client device, a first request to access the at least one protected web resource, the first request comprising first user credentials;
  
  determine, completely within the computer server and independent of any other server, whether the first user credentials can be authenticated;
  
  when the first user credentials cannot be authenticated, deny the first request or perform further authentication;
  
  when the first user credentials are authenticated, authorize the first request, create first session credentials for the first client device, and transmit the created first session credentials to the first client device;
  
  receive, from the first client device or a second client device, a second request to access the at least one protected web resource, the second request comprising the first session credentials or second session credentials; and
  
  validate, completely within the computer server and independent of any other server, the received first session credentials or the received second session credentials;
  
  when the received first session credentials or the received second session credentials are validated, authorize the second request, andwhen the received first session credentials or the received second session credentials cannot be validated, deny the second request or perform further authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
Miller, Lawrence R., Skingle, Bruce J.
Primary Examiner(s)
Zeender, Florian M
Assistant Examiner(s)
Racic, Milena

Application Number

US14/927,714
Publication Number

US 20160119326A1
Time in Patent Office

1,432 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0428   wherein the data content is...

H04L 63/0815   providing single-sign-on or...

H04L 63/101   Access control lists [ACL]

H04L 63/126   the source of the received ...

H04L 65/1101   Session protocols

System and method for single sign-on session management without central server

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for single sign-on session management without central server

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others