Atomic session-start operation combining clear-text and encrypted sessions to provide ID visibility to middleware such as load-balancers
First Claim
1. A server farm for assigning both clear-text and encrypted-session requests from a client to an assigned server, the server farm comprising:
- a plurality of servers that includes the assigned server, the plurality of servers for sending web pages to clients, the web pages including clear-text web pages that are transmitted as non-encrypted clear-text data and web pages that are transmitted as encrypted data;
a load-balancer, receiving requests from clients, for distributing the requests to the plurality of servers, the load-balancer determining the assigned server in the plurality of servers by;
parsing a clear-text request for a server-assignment cookie, the server-assignment cookie indicating which server in the plurality of servers has previously been assigned to respond to requests from the client that generated the request;
or matching an encrypted-session identifier contained in the request for an encrypted page to an encrypted-session identifier table-entry identifying which server in the plurality of servers has previously been assigned to respond to an encrypted-session request from the client that generated the request; and
a network connection for connecting the load-balancer to receive the requests from the clients, and for sending responses from the plurality of servers to the clients, whereby load balancing among the plurality of servers is determined by the server-assignment cookie for clear-text requests, and determined by the encrypted-session identifier for encrypted-session requests.
4 Assignments
0 Petitions
Accused Products
Abstract
A load-balancer assigns incoming requests to servers at a server farm. An atomic operation assigns both un-encrypted clear-text requests and encrypted requests from a client to the same server at the server farm. An encrypted session is started early by the atomic operation, before encryption is required. The atomic operation is initiated by a special, automatically loaded component on a web page. This component is referenced by code requiring that an encrypted session be used to retrieve the component. Keys and certificates are exchanged between a server and the client to establish the encrypted session. The server generates a secure-sockets-layer (SSL) session ID for the encrypted session. The server also generates a server-assignment cookie that identifies the server at the server farm. The server-assignment cookie is encrypted and sent to the client along with the SSL session ID. The Client decrypts the server-assignment cookie and stores it along with the SSL session ID. The load-balancer stores the SSL session ID along with a server assignment that identifies the server that generated the SSL session ID. When other encrypted requests are generated by the client to the server farm, they include the SSL session ID. The load-balancer uses the SSL session ID to send the requests to the assigned server. When the client sends a non-encrypted clear-text request to the server farm, it includes the decrypted server-assignment cookie. The load balancer parses the clear-text request to find the server-assignment cookie. The load-balancer then sends the request to the assigned server.
95 Citations
20 Claims
-
1. A server farm for assigning both clear-text and encrypted-session requests from a client to an assigned server, the server farm comprising:
-
a plurality of servers that includes the assigned server, the plurality of servers for sending web pages to clients, the web pages including clear-text web pages that are transmitted as non-encrypted clear-text data and web pages that are transmitted as encrypted data;
a load-balancer, receiving requests from clients, for distributing the requests to the plurality of servers, the load-balancer determining the assigned server in the plurality of servers by;
parsing a clear-text request for a server-assignment cookie, the server-assignment cookie indicating which server in the plurality of servers has previously been assigned to respond to requests from the client that generated the request;
ormatching an encrypted-session identifier contained in the request for an encrypted page to an encrypted-session identifier table-entry identifying which server in the plurality of servers has previously been assigned to respond to an encrypted-session request from the client that generated the request; and
a network connection for connecting the load-balancer to receive the requests from the clients, and for sending responses from the plurality of servers to the clients, whereby load balancing among the plurality of servers is determined by the server-assignment cookie for clear-text requests, and determined by the encrypted-session identifier for encrypted-session requests. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for load-balancing a web site, the method comprising:
-
receiving a clear-text request from a client for viewing a web page;
assigning the clear-text request from the client to a first server in a plurality of servers at the web site;
sending requested web page from the first server to the client using a clear-text connection;
before the client requests a web page that changes a state stored on the client, performing an atomic server-assignment operation by;
assigning an initial encrypted-session request from the client to an assigned server;
initiating an encrypted connection between the client and the assigned server;
deriving an encrypted-session identifier from the encrypted connection and associating the encrypted-session identifier to the assigned server in a load balancer;
generating a server-assignment state indicator that identifies the assigned server;
sending the encrypted server-assignment state-indicator to the client using an encrypted connection;
storing the encrypted-session identifier and the server-assignment state indicator on the client;
after the atomic server-assignment operation is performed, the client sending a clear-text request to the web site that includes the server-assignment state-indicator but does not include the encrypted-session identifier;
after the atomic server-assignment operation is performed, the client sending a encrypted-session request to the web site that includes the encrypted-session identifier;
a load-balancer reading the server-assignment state-indicator from the clear-text request from the client, the load-balancer sending the clear-text request to the assigned server identified by the server-assignment state-indicator;
the load-balancer reading the encrypted-session identifier from the encrypted-session request from the client, the load-balancer associating the encrypted-session identifier with the assigned server; and
the load-balancer sending the encrypted-session request to the assigned server, whereby the atomic server-assignment operation assigns a server for both clear-text and encrypted-session requests subsequently sent from the client to the web site. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer-program product comprising:
-
a computer-usable medium having computer-readable program code means embodied therein for assigning packets from a remote client to an assigned server in a plurality of servers, the computer-readable program code means in the computer-program product comprising;
network connection means for transmitting and receiving packets from the remote client;
a server application, loaded on each of the plurality of servers and connected to the network connection means, for serving web pages to the remote client in response to requests from the remote client;
middleware, coupled to intercept packets from the remote client to the server application, the middleware not able to read encrypted data in encrypted packets;
atomic session means, in the server application, for initiating an encrypted session between an assigned server and the remote client, and for generating both (1) an encrypted-session identifier and (2) a server-identifying cookie that identify the assigned server in the plurality of servers; and
transmit means, in the server application, for sending both the encrypted-session identifier and the server-identifying cookie to the remote client when the encrypted session is initiated, the remote client storing both the encrypted-session identifier and the server-identifying cookie;
when the remote client sends an un-encrypted clear-text message to the server application, the remote client including the server-identifying cookie, the middleware reading the server-identifying cookie;
when the remote client sends an encrypted message to the server application, the remote client including the encrypted-session identifier, the middleware reading the encrypted-session identifier, whereby the server-identifying cookie identifies the assigned server for clear-text messages from the remote client, but the encrypted-session identifier identifies the assigned server for encrypted messaged. - View Dependent Claims (19, 20)
-
Specification