System and method for single sign-on session management without central server

US 20030158949A1
Filed: 02/19/2002
Published: 08/21/2003
Est. Priority Date: 02/19/2002
Status: Active Grant

First Claim

Patent Images

1. A method for single sign-on session management, the method comprising:

establishing a session credential;

validating the session credential at a first server;

granting access to a first resource of the first server;

validating the session credential at a second server; and

granting access to a second resource of the second server, wherein communication with a third server is not required to validate the session credential at either the first server or the second server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for single sign-on session management. Functions of session management and client log-in, normally handled by separate system servers, are incorporated as plug-in modules on individual web content servers. In this manner, network traffic to grant and validate client user credentials is reduced or minimized.

Citations

45 Claims

1. A method for single sign-on session management, the method comprising:
- establishing a session credential;
  
  validating the session credential at a first server;
  
  granting access to a first resource of the first server;
  
  validating the session credential at a second server; and
  
  granting access to a second resource of the second server, wherein communication with a third server is not required to validate the session credential at either the first server or the second server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A method according to claim 1, further comprising updating a time value within the session credential at the first server.
  - 3. A method according to claim 2, wherein the time value is a session timeout value.
  - 4. A method according to claim 2, wherein the time value is a maximum idle time value.
  - 5. A method according to claim 1, further comprising updating a time value within the session credential in conjunction with granting access to the resource of the first server.
  - 6. A method according to claim 1, further comprising:
    - checking for presence of a session credential; and
      
      if a session credential is not present, then establishing the session credential.
  - 7. A method according to claim 1, further comprising:
    - checking for validity of the session credential; and
      
      if the session credential is not valid, then establishing a session credential.
  - 8. A method according to claim 1, wherein establishing a session credential further comprises creating a session credential at either the first server or the second server.
  - 9. A method according to claim 1, wherein establishing a session credential further comprises creating a session credential at a third server.
  - 10. A method according to claim 1, wherein the session credential is contained within a token that is received by the first server and the second server.
  - 11. A method according to claim 10, wherein the token is a cryptographically generated cookie.
  - 12. A method according to claim 10, wherein the token is held by a client browser.
  - 13. A method according to claim 1, wherein validating the session credential at the first server and at the second server further comprises decrypting a cryptographically generated cookie.
  - 14. A method according to claim 1, wherein the first resource is a protected resource.

15. A method for single sign-on session management, the method comprising:
- establishing a cryptographically generated cookie held by a client browser as a session credential;
  
  receiving the session credential from the client browser at a first server;
  
  validating the session credential at the first server by decrypting the cookie;
  
  granting the client browser access to a first protected resource of the first server;
  
  updating a timeout value contained within the session credential;
  
  cryptographically generating a new session credential as a cookie containing the updated timeout value;
  
  sending the new session credential to the client browser;
  
  receiving the new session credential at a second server;
  
  validating the new session credential at a second server by decrypting the cookie; and
  
  granting access to a second protected resource of the second server, wherein communication with a third server is not required to validate the session credentials at either the first server or the second server.

16. Computer executable software code transmitted as an information signal, the code for single sign-on session management, the code comprising:
- code to establish a session credential;
  
  code to validate the session credential at a first server;
  
  code to grant access to a first resource of the first server;
  
  code to validate the session credential at a second server; and
  
  code to grant access to a second resource of the second server, wherein communication with a third server is not required to validate the session credential at either the first server or the second server.

17. A computer readable medium having computer executable code stored thereon, the code for single sign-on session management, the code comprising:
- code to establish a session credential;
  
  code to validate the session credential at a first server;
  
  code to grant access to a first resource of the first server;
  
  code to validate the session credential at a second server; and
  
  code to grant access to a second resource of the second server, wherein communication with a third server is not required to validate the session credential at either the first server or the second server.

18. A programmed computer for single sign-on session management, comprising:
- a memory having at least one region for storing computer executable program code; and
  
  a processor for executing the program code stored in the memory, wherein the program code comprises;
  
  code to establish a session credential;
  
  code to validate the session credential at a first server;
  
  code to grant access to a first resource of the first server;
  
  code to validate the session credential at a second server; and
  
  code to grant access to a second resource of the second server, wherein communication with a third server is not required to validate the session credential at either the first server or the second server.

19. A method for single sign-on session management, the method comprising:
- providing a list of authorized users to a first server and to a second server;
  
  establishing a session credential using the list of authorized users;
  
  validating the session credential at the first server;
  
  validating the session credential at a second server, wherein communication with a third server is not required to validate the session credential at either the first server or the second server;
  
  providing an update to the list of authorized users to the first server and to the second server; and
  
  changing the session credential based on the update to the list.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 20. A method according to claim 19, further comprising granting access to a resource on the first server or on the second server after validating the session credential on the respective server.
  - 21. A method according to claim 20, wherein the resource is a protected resource.
  - 22. A method according to claim 19, wherein changing the session credential includes revoking access to any resource held by the first server.
  - 23. A method according to claim 19, wherein changing the session credential includes adding access to a resource held by the first server.
  - 24. A method according to claim 19, wherein changing the session credential includes removing access to a resource held by the first server.
  - 25. A method according to claim 19, wherein providing a list of authorized users includes sending the list to the first and second servers.
  - 26. A method according to claim 19, wherein providing a list of authorized users includes making the list available to the first and second servers.
  - 27. A method according to claim 19, wherein providing an update to the list of authorized users includes sending the update to the first and second servers.
  - 28. A method according to claim 19, wherein providing the list or update to the list of authorized users includes using a public network.
  - 29. A method according to claim 19, wherein providing a list or an update to the list of authorized users includes using a private network.
  - 30. A method according to claim 19, wherein establishing a session credential includes cryptographically generating a cookie.
  - 31. A method according to claim 19, wherein establishing a session credential includes using a log-in plug-in running on the first server.
  - 32. A method according to claim 19, wherein establishing a session credential includes using a log-in server connected by a network to the first and second server.
  - 33. A method according to claim 19, wherein validating the session credential at the first server includes using a session management plug-in running on the first server.
  - 34. A method according to claim 19, wherein validating the session credential at the first server includes decrypting a cryptographically generated cookie.

35. A system for single sign-on session management, the system comprising:
- a first server with a first resource;
  
  a session management plug-in running on the first server;
  
  a second server with a second resource;
  
  a session management plug-in running on the second server;
  
  a first network providing a connection of the second server to the first server; and
  
  a client with a session credential, the client connectable to the first server and to the second server by the first network, wherein the first server validates the session credential using the session management plug-in running on the first server without requiring a connection to either the second server or any other server and the second server validates the session credential using the session management plug-in running on the second server without requiring a connection to either the first server or any other server.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 36. A system according to claim 35, further comprising a third server with an authorized list of users, the third server connectable to the first server and to the second server by a second network.
  - 37. A system according to claim 36, wherein the first network and the second network are interconnected.
  - 38. A system according to claim 36, wherein the first network and the second network are the same network.
  - 39. A system according to claim 36, wherein the second network is a public network.
  - 40. A system according to claim 36, wherein the second network is a private network.
  - 41. A system according to claim 35, further comprising:
    - a log-in plug-in running on the first server; and
      
      a log-in plug-in running on the second server.
  - 42. A system according to claim 35, wherein the first network is a public network.
  - 43. A system according to claim 35, wherein the first network is a private network.
  - 44. A system according to claim 35, wherein the session credential is a cryptographically generated cookie.
  - 45. A system according to claim 35, wherein the resource on the first server is a protected resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
Miller, Lawrence R., Skingle, Bruce J.

Granted Patent

US 7,941,533 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0428   wherein the data content is...

H04L 63/0815   providing single-sign-on or...

H04L 63/101   Access control lists [ACL]

H04L 63/126   the source of the received ...

H04L 65/1101   Session protocols

System and method for single sign-on session management without central server

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for single sign-on session management without central server

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links