Server-side filter for corrupt web-browser cookies

US 20030018707A1
Filed: 07/20/2001
Published: 01/23/2003
Est. Priority Date: 07/20/2001
Status: Abandoned Application

First Claim

Patent Images

1. A server-based, computer implemented method for detecting and eliminating invalid server-supplied data from client machines comprising the following steps performed following the receipt of a request for services from a client web browser which request is accompanied by server data placed on the client web machine via commands for the web browser included in transport protocol response headers sent by the server or by related servers on earlier occasions:

scanning the server data which is received from the client web browser to identify invalid data;

determining an identifier that accompanies any data which is invalid; and

as part of a server response sent to the client web browser, including in the response a command or commands that causes only the invalid data, identified by the identifier, to be neutralized.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server that services a number of client computers over an Internet type of a network and that sends cookies to web browsers on those client computers is able to screen out and delete all cookies containing invalid data values. When a client computer web browser submits a request to the server, such as an HTTP request for a web page, the client web browser automatically sends to the server the names and data contents of all cookies that originally came from that server or a related server. The server screens this cookie data contents for illegal data values. If any are found, then when the server next delivers a document to the client web browser, the server inserts into the HTTP header that is associated with the HTML document commands directing the replacement of all named cookies containing erroneous data with new cookies having their expiration dates set to zero so that they are promptly discarded by the client web browser.

95 Citations

View as Search Results

24 Claims

1. A server-based, computer implemented method for detecting and eliminating invalid server-supplied data from client machines comprising the following steps performed following the receipt of a request for services from a client web browser which request is accompanied by server data placed on the client web machine via commands for the web browser included in transport protocol response headers sent by the server or by related servers on earlier occasions:
- scanning the server data which is received from the client web browser to identify invalid data;
  
  determining an identifier that accompanies any data which is invalid; and
  
  as part of a server response sent to the client web browser, including in the response a command or commands that causes only the invalid data, identified by the identifier, to be neutralized.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. A method in accordance with claim 1, wherein the method is applied to the detection and neutralization of one or more cookies supplied by the server or related servers to client web browsers and, when its data and name is later returned by a particular client web browser to the server, is found to contain invalid data, and wherein only cookies containing invalid data, identified by name, are neutralized.
  - 3. A method in accordance with claim 1, wherein the server data accompanying a request for services received from a client web browser contains one or more separate sets of data each including a name and a data value, and wherein the command or commands sent to the client as part of a response to the client includes one or more commands each of which identifies by name a set of data that contains invalid data and that is to be neutralized, whereby other sets of data containing valid data are not neutralized.
  - 4. A method in accordance with claim 3, wherein neutralization is carried out by sending to a client a command that places on the client a new data set associated with a name for a data set containing invalid data and a domain identifier of the server or of the related servers, the new data set containing no erroneous data, whereby the new data set displaces the erroneous data set and thereby neutralizes the erroneous data set.
  - 5. A method in accordance with claim 1, wherein server data placed on a client machine via commands sent to a client web browser includes an expiration date, and wherein neutralization is accomplished by adjusting the expiration date to a valve that neutralizes the invalid data through expiration.
  - 6. A method in accordance with claim 5, wherein the expiration date is set to zero.
  - 7. A method in accordance with claim 5, wherein the expiration date is set to a date equal to or earlier than the date when the one or more commands is sent back to the client.
  - 8. A method in accordance with claim 1, wherein the invalid data comprises data whose value corresponds to one or more printable character identification codes which match codes contained in a list of invalid character codes.
  - 9. A method in accordance with claim 1, wherein the data transfer protocol is HTTP or an equivalent protocol, the data received comprises one or more data sets preceded by a “
    - Cookie;
      
      ”
      
      command or its equivalent, and separated by semi-colons or some other equivalent separator and of the form “
      
      NAME=VALUE”
      
      or some equivalent form, and wherein the neutralization of such data is achieved by returning one or more commands “
      
      Set-cookie;
      
      ”
      
      or its equivalent, each including at least a first expression followed by one or more expressions, separated by semi-colons or some equivalent separator, of the form “
      
      NAME=VALUE”
      
      or its equivalent where NAME is the name associated with invalid data and VALUE is valid data which may be no data.
  - 10. A method in accordance with claim 9, in which the command “
    - Set-cookie;
      
      ”
      
      or its equivalent is also followed by an expression “
      
      domain=DOMAIN_NAME”
      
      or its equivalent where DOMAIN_NAME identifies the server or group of related servers.
  - 11. A method in accordance with claim 10, in which the command “
    - Set-cookie;
      
      ”
      
      or its equivalent is also followed by an expression “
      
      expires=DATE”
      
      or its equivalent where DATE is a date or its equivalent adjusted to neutralize the invalid data values by the client web browser.
  - 12. A computer program containing instructions enabling it to cause a server to carry out the method steps as in claim 1.
  - 14. A system in accordance with claim 13, wherein the system is applied to the detection and neutralization of one or more cookies supplied by the server or related servers to client web browsers and, when its data and name is later returned by a particular client web browser to the server, is found to contain invalid data, and wherein only cookies containing invalid data, identified by name, are neutralized.
  - 15. A system in accordance with claim 13, wherein the server data accompanying a request for services received from a client contains one or more separate sets of data each including a name and a data value, and wherein the command or commands sent to the client as part of a response to the client includes one or more commands each of which identifies by name a set of data that contains invalid data and that is to be neutralized, whereby other sets of data containing invalid data are not neutralized.
  - 16. A system in accordance with claim 15, wherein neutralization is carried out by sending to a client a command that places on the client machine a new data set associated with a name for the data set and a domain identifier of the server or of related servers, the new data set containing no erroneous data, whereby the new data set displaces the erroneous data set and thereby neutralizes the erroneous data set.
  - 17. A system in accordance with claim 13, wherein server data placed on a client includes an expiration date, and wherein neutralization is accomplished by adjusting the expiration date to a valve that neutralizes the invalid data through expiration.
  - 18. A system in accordance with claim 17, wherein the expiration date is set to zero.
  - 19. A system in accordance with claim 17, wherein the expiration date is set to a date equal to or earlier than the date when the one or more commands are sent back to the client.
  - 20. A system in accordance with claim 13, wherein invalid data comprises data whose value corresponds to one or more printable character identification codes which match codes contained in a list of invalid character codes.
  - 21. A system in accordance with claim 13, wherein the data transfer protocol is HTTP or an equivalent protocol, the data received comprises one or more data sets preceded by “
    - Cookie;
      
      ”
      
      or an equivalent command and separated by semicolons or an equivalent separator and of the form “
      
      NAME=VALUE”
      
      or an equivalent form, and where the neutralization of such data is achieved by returning the command “
      
      Set-cookie;
      
      ”
      
      or an equivalent command including at least a first expression followed by one or more expressions separated by semicolons or an equivalent separator of the form “
      
      NAME=VALUE”
      
      or an equivalent form where NAME is the name associated with invalid data and VALUE is valid data or no data.
  - 22. A system in accordance with claim 21, in which the command “
    - Set-cookie;
      
      ”
      
      or its equivalent is also followed by an expression “
      
      domain=DOMAIN_NAME”
      
      or an equivalent expression, where DOMAIN_NAME identifies the server or group of related servers.
  - 23. A system in accordance with claim 22, in which the command “
    - Set-cookie;
      
      ”
      
      or its equivalent is also followed by an expression “
      
      expires=DATE”
      
      or an equivalent expression, where DATE is a date value or its equivalent adjusted to neutralize the data value at the client.
  - 24. A system in accordance with claim 21, in which the command “
    - Set-cookie;
      
      ”
      
      is also followed by an expression “
      
      expires=DATE”
      
      where DATE is a date adjusted to neutralize the data value by the client browser.

13. A system for detecting and eliminating invalid data from client web browsers comprising:
- a server designed to communicate over a network with clients;
  
  a client message receiver and transmitter on the server that is arranged to receive and to process incoming client messages and to transmit return messages back to clients;
  
  a scanner that scans at least some messages flowing into the server coming from clients over the network and including a detector that can detect incoming server data returned to the server by the client and originally supplied to the client on earlier occasions by the server or by a related server;
  
  a data integrity tester that tests the integrity of such incoming server data; and
  
  a message insertion command generator placed into operation when the data integrity tester identifies invalid data in such incoming server data that causes the message receiver and transmitter, when transmitting a return message back to a client from which invalid data was received, to include within the return message one or more commands that causes the client to neutralized the invalid data without neutralizing other valid data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Flocken, Philip Andrew

Application Number

US09/909,482
Publication Number

US 20030018707A1
Time in Patent Office

Days
Field of Search
US Class Current

709/203
CPC Class Codes

H04L 67/02   based on web technology, e....

H04L 67/535   Tracking the activity of th...

H04L 9/40   Network security protocols

Server-side filter for corrupt web-browser cookies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Server-side filter for corrupt web-browser cookies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links