Atomic session-start operation combining clear-text and encrypted sessions to provide ID visibility to middleware such as load-balancers

US 20050010754A1
Filed: 07/27/2004
Published: 01/13/2005
Est. Priority Date: 09/01/1999
Status: Active Grant

First Claim

Patent Images

1. A server farm for assigning both clear-text and encrypted-session requests from a client to an assigned server, the server farm comprising:

a plurality of servers that includes the assigned server, the plurality of servers for sending web pages to clients, the web pages including clear-text web pages that are transmitted as non-encrypted clear-text data and web pages that are transmitted as encrypted data;

a load-balancer, receiving requests from clients, for distributing the requests to the plurality of servers, the load-balancer determining the assigned server in the plurality of servers by;

parsing a clear-text request for a server-assignment cookie, the server-assignment cookie indicating which server in the plurality of servers has previously been assigned to respond to requests from the client that generated the request;

or matching an encrypted-session identifier contained in the request for an encrypted page to an encrypted-session identifier table-entry identifying which server in the plurality of servers has previously been assigned to respond to an encrypted-session request from the client that generated the request; and

a network connection for connecting the load-balancer to receive the requests from the clients, and for sending responses from the plurality of servers to the clients, whereby load balancing among the plurality of servers is determined by the server-assignment cookie for clear-text requests, and determined by the encrypted-session identifier for encrypted-session requests.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A load-balancer assigns incoming requests to servers at a server farm. An atomic operation assigns both un-encrypted clear-text requests and encrypted requests from a client to the same server at the server farm. An encrypted session is started early by the atomic operation, before encryption is required. The atomic operation is initiated by a special, automatically loaded component on a web page. This component is referenced by code requiring that an encrypted session be used to retrieve the component. Keys and certificates are exchanged between a server and the client to establish the encrypted session. The server generates a secure-sockets-layer (SSL) session ID for the encrypted session. The server also generates a server-assignment cookie that identifies the server at the server farm. The server-assignment cookie is encrypted and sent to the client along with the SSL session ID. The Client decrypts the server-assignment cookie and stores it along with the SSL session ID. The load-balancer stores the SSL session ID along with a server assignment that identifies the server that generated the SSL session ID. When other encrypted requests are generated by the client to the server farm, they include the SSL session ID. The load-balancer uses the SSL session ID to send the requests to the assigned server. When the client sends a non-encrypted clear-text request to the server farm, it includes the decrypted server-assignment cookie. The load balancer parses the clear-text request to find the server-assignment cookie. The load-balancer then sends the request to the assigned server.

95 Citations

View as Search Results

20 Claims

1. A server farm for assigning both clear-text and encrypted-session requests from a client to an assigned server, the server farm comprising:
- a plurality of servers that includes the assigned server, the plurality of servers for sending web pages to clients, the web pages including clear-text web pages that are transmitted as non-encrypted clear-text data and web pages that are transmitted as encrypted data;
  
  a load-balancer, receiving requests from clients, for distributing the requests to the plurality of servers, the load-balancer determining the assigned server in the plurality of servers by;
  
  parsing a clear-text request for a server-assignment cookie, the server-assignment cookie indicating which server in the plurality of servers has previously been assigned to respond to requests from the client that generated the request;
  
  or matching an encrypted-session identifier contained in the request for an encrypted page to an encrypted-session identifier table-entry identifying which server in the plurality of servers has previously been assigned to respond to an encrypted-session request from the client that generated the request; and
  
  a network connection for connecting the load-balancer to receive the requests from the clients, and for sending responses from the plurality of servers to the clients, whereby load balancing among the plurality of servers is determined by the server-assignment cookie for clear-text requests, and determined by the encrypted-session identifier for encrypted-session requests.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The server farm of claim 1 wherein a server in the plurality of servers further comprises:
    - means for executing an atomic server-assignment operation, the atomic server-assignment operation generating the server-assignment cookie indicating that the server is assigned to receive requests from a client, atomic server-assignment operation generating the encrypted-session identifier used by the load-balancer to identify the server; and
      
      atomic transmit means, receiving the server-assignment cookie and the encrypted-session identifier from the atomic server-assignment operation, for transmitting the encrypted-session identifier and the server-assignment cookie to the client through the network connection, wherein the client stores the server-assignment cookie and stores the encrypted-session identifier, the client sending the server-assignment cookie but not the encrypted-session identifier with each clear-text request to the server farm, the client sending the encrypted-session identifier with each encrypted-session request to the server farm, whereby the atomic server-assignment operation sets a server assignment for both clear-text requests and encrypted-session requests.
  - 3. The server farm of claim 2 wherein the server-assignment cookie is encrypted when the atomic transmit means transmits the encrypted-session identifier and the server-assignment cookie to the client, but the encrypted-session identifier is not encrypted, whereby the load-balancer can read the encrypted-session identifier but cannot read the server-assignment cookie for encrypted-session requests.
  - 4. The server farm of claim 3 wherein after the atomic server-assignment operation, the encrypted-session request from the client contains the server-assignment cookie that is encrypted and not readable by the load-balancer, the encrypted-session request containing the encrypted-session identifier that is readable by the load-balancer.
  - 5. The server farm of claim 4 wherein the atomic server-assignment operation is initiated by a reference to an encrypted component on a clear-text web page, the encrypted component generating an encrypted-session request from the client that contains no encrypted-session identifier;
    - wherein a web browser that generates a warning message when a clear-text web page is referenced from an encrypted-session web page does not generate the warning message when the encrypted component is referenced, whereby the warning message from the web browser is avoided when an encrypted session begins.
  - 6. The server farm of claim 5 wherein the encrypted component is an image file that is not visible to a user.
  - 7. The server farm of claim 5 wherein the encrypted component contains public, non-confidential information that otherwise does not require encryption, whereby the encrypted component is used to initiate the encrypted session before encryption is needed.
  - 8. The server farm of claim 2 wherein the load-balancer further comprises:
    - a session table having a plurality of entries, each entry containing a session identifier for an encrypted session and a server identifier that identifies an assigned server in the plurality of servers;
      
      wherein the load-balancer compares an encrypted-session identifier for an incoming packet to the encrypted-session identifiers stored in the session table to find the server identifier indicating which servers is assigned to accept the incoming packet, whereby encrypted-session identifiers are stored in the session table in the load-balancer.

9. A method for load-balancing a web site, the method comprising:
- receiving a clear-text request from a client for viewing a web page;
  
  assigning the clear-text request from the client to a first server in a plurality of servers at the web site;
  
  sending requested web page from the first server to the client using a clear-text connection;
  
  before the client requests a web page that changes a state stored on the client, performing an atomic server-assignment operation by;
  
  assigning an initial encrypted-session request from the client to an assigned server;
  
  initiating an encrypted connection between the client and the assigned server;
  
  deriving an encrypted-session identifier from the encrypted connection and associating the encrypted-session identifier to the assigned server in a load balancer;
  
  generating a server-assignment state indicator that identifies the assigned server;
  
  sending the encrypted server-assignment state-indicator to the client using an encrypted connection;
  
  storing the encrypted-session identifier and the server-assignment state indicator on the client;
  
  after the atomic server-assignment operation is performed, the client sending a clear-text request to the web site that includes the server-assignment state-indicator but does not include the encrypted-session identifier;
  
  after the atomic server-assignment operation is performed, the client sending a encrypted-session request to the web site that includes the encrypted-session identifier;
  
  a load-balancer reading the server-assignment state-indicator from the clear-text request from the client, the load-balancer sending the clear-text request to the assigned server identified by the server-assignment state-indicator;
  
  the load-balancer reading the encrypted-session identifier from the encrypted-session request from the client, the load-balancer associating the encrypted-session identifier with the assigned server; and
  
  the load-balancer sending the encrypted-session request to the assigned server, whereby the atomic server-assignment operation assigns a server for both clear-text and encrypted-session requests subsequently sent from the client to the web site.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9 wherein the step of initiating an encrypted connection further comprises:
    - exchanging encryption keys and certificates among the client and the assigned server.
  - 11. The method of claim 10 wherein the load-balancer does not exchange the encryption keys and certificates directly with the client, the encryption keys being forwarded through the load-balancer, the load-balancer capturing the encrypted-session identifier.
  - 12. The method of claim 11 wherein the web site is an electronic-commerce web site;
    - wherein the clear-text requests include requests for viewing product-information web pages;
      
      wherein the clear-text requests sent by the client after the atomic server-assignment operation is performed include item-select requests to add items for purchase to a customer-item list, wherein the encrypted-session requests sent by the client after the atomic server-assignment operation is performed include a checkout request to confirm payment for the items for purchase on the customer-item list, whereby clear-text requests to add items to the customer-item list are not encrypted.
  - 13. The method of claim 12 wherein the customer-item list is stored on the assigned server but not stored on other servers or on a central database before the checkout request is received, whereby the customer-item list is locally stored before checkout.
  - 14. The method of claim 13 wherein the item-select requests change the state stored on the client, whereby the atomic server-assignment operation is performed before items are added to the customer-item list.
  - 15. The method of claim 14 wherein the atomic server-assignment operation is initiated by a reference to an encrypted component embedded on a product-information web page, whereby the atomic server-assignment operation is initiated by browsing a product-information web page before items are added to the customer-item list.
  - 16. The method of claim 12 wherein the assigned server responds to the checkout request by sending a checkout web page which allows a user at the client to input credit-card information for payment.
  - 17. The method of claim 12 wherein the encrypted-session identifier is a secure-sockets-layer (SSL) session ID contained in a non-encrypted portion of an encrypted connection.

18. A computer-program product comprising:
- a computer-usable medium having computer-readable program code means embodied therein for assigning packets from a remote client to an assigned server in a plurality of servers, the computer-readable program code means in the computer-program product comprising;
  
  network connection means for transmitting and receiving packets from the remote client;
  
  a server application, loaded on each of the plurality of servers and connected to the network connection means, for serving web pages to the remote client in response to requests from the remote client;
  
  middleware, coupled to intercept packets from the remote client to the server application, the middleware not able to read encrypted data in encrypted packets;
  
  atomic session means, in the server application, for initiating an encrypted session between an assigned server and the remote client, and for generating both (1) an encrypted-session identifier and (2) a server-identifying cookie that identify the assigned server in the plurality of servers; and
  
  transmit means, in the server application, for sending both the encrypted-session identifier and the server-identifying cookie to the remote client when the encrypted session is initiated, the remote client storing both the encrypted-session identifier and the server-identifying cookie;
  
  when the remote client sends an un-encrypted clear-text message to the server application, the remote client including the server-identifying cookie, the middleware reading the server-identifying cookie;
  
  when the remote client sends an encrypted message to the server application, the remote client including the encrypted-session identifier, the middleware reading the encrypted-session identifier, whereby the server-identifying cookie identifies the assigned server for clear-text messages from the remote client, but the encrypted-session identifier identifies the assigned server for encrypted messaged.
- View Dependent Claims (19, 20)
- - 19. The computer-program product of claim 18 wherein the middleware is a load-balancer for sending incoming packets from the remote client to the assigned server.
  - 20. The computer-program product of claim 18 wherein the network connection means connects to the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hanger Solutions, LLC (IP Investments Group LLC)
Original Assignee
Resonate (AEG Holdings, Inc.)
Inventors
Brendel, Juergen

Granted Patent

US 7,861,075 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/104   Grouping of entities

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/1001   for accessing one among a p...

H04L 67/1012   based on compliance of requ...

H04L 67/1027   Persistence of sessions dur...

H04L 67/14   Session management for real...

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

H04L 69/22   Parsing or analysis of headers

Atomic session-start operation combining clear-text and encrypted sessions to provide ID visibility to middleware such as load-balancers

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Atomic session-start operation combining clear-text and encrypted sessions to provide ID visibility to middleware such as load-balancers

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links