Cookie-based acceleration of an authentication protocol

US 20060230265A1
Filed: 04/08/2005
Published: 10/12/2006
Est. Priority Date: 04/08/2005
Status: Active Grant

First Claim

Patent Images

1. A method for authentication comprising:

receiving a request from a client for a network service at a cache server;

authenticating the client according to a non-cacheable authentication protocol, including passing client credentials to a client database manager;

setting a cookie for the authenticated client;

receiving an additional request from the client for a network service at the cache server, the request including the cookie; and

authenticating the client for the additional request with the cookie without passing client credentials to the client database manager.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system uses a proxy server to authenticate a client with an authentication protocol that does not support caching. Rather than cache the client'"'"'s authentication credentials, or access a client account manager for each network request generated by the client, the proxy server issues a cookie to an authenticated client and authenticate the client for subsequent request on the basis of the cookie.

268 Citations

27 Claims

1. A method for authentication comprising:
- receiving a request from a client for a network service at a cache server;
  
  authenticating the client according to a non-cacheable authentication protocol, including passing client credentials to a client database manager;
  
  setting a cookie for the authenticated client;
  
  receiving an additional request from the client for a network service at the cache server, the request including the cookie; and
  
  authenticating the client for the additional request with the cookie without passing client credentials to the client database manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method according to claim 1, wherein the cookie includes a lifespan duration.
  - 3. A method according to claim 2, wherein the lifespan duration comprises a timestamp field to indicate the duration.
  - 4. A method according to claim 3, wherein the timestamp field comprises a value indicating a number of seconds since epoch of the cookie.
  - 5. A method according to claim 4, wherein the epoch comprises a time of issuance of the cookie by the cache server.
  - 6. A method according to claim 2, wherein authenticating the client for the additional request with the cookie comprises determining that the cookie has not exceeded the duration of its lifespan.
  - 7. A method according to claim 1, wherein authenticating the client for the additional request with the cookie further comprises verifying the cookie for validity.
  - 8. A method according to claim 7, wherein verifying the cookie for validity comprises determining if the client is a client specified in a client identification field of the cookie.
  - 9. A method according to claim 8, wherein determining the client is the client specified further comprises determining that an Internet Protocol (IP) address of the client matches an IP address specified in the client identification field of the cookie.
  - 10. A method according to claim 7, wherein verifying the cookie for validity comprises determining if the client request is for content within a domain specified in a field of the cookie.

11. A network device comprising:
- a network interface to connect to a network to couple to a client device and a domain controller;
  
  a memory having instructions to define operations including authenticating the client device according to an authentication procedure of an authentication protocol to allow network access to the client, issuing a cookie to an authenticated client, and bypassing the authentication procedure of the protocol by authenticating the client with the cookie for subsequent network access; and
  
  a processor to execute the instructions.
- View Dependent Claims (12, 13, 14, 15)
- - 12. A network device according to claim 11, wherein the authentication protocol comprises an NTLMv2 (New Technology LAN (local area network) management, version 2)-based authentication protocol.
  - 13. A network device according to claim 11, wherein the cookie specifies a particular domain associated with the cookie, for which the client can be authenticated with the cookie for subsequent access to content within the domain.
  - 14. A network device according to claim 13, wherein the particular domain comprises a most generic domain to which the content belongs.
  - 15. A network device according to claim 13, wherein the network device is a network cache server.

16. A method comprising:
- receiving a client request for an access to a network domain;
  
  authenticating the client with a non-cacheable, challenge-based authentication protocol at a proxy server, including the proxy server accessing a domain controller;
  
  issuing a cookie for the domain from the proxy server to the authenticated client; and
  
  authenticating the client at the proxy server with the cookie for an additional access to the domain.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. A method according to claim 16, wherein the non-cacheable, challenge-based authentication protocol comprises an authentication protocol based on the NTLM (New Technology LAN (local area network) management) challenge-response authentication procedure.
  - 18. A method according to claim 16, wherein the cookie includes one or more fields of information that are encrypted.
  - 19. A method according to claim 18, wherein the cookie includes a non-encrypted field having a cookie identifier to indicate a valid cookie to the proxy server prior to decryption of the cookie by the proxy server.
  - 20. A method according to claim 18, wherein the cookie includes an encrypted field having a value, the proxy server to assume that decryption of the cookie was successful if the decrypted value matches an expected value stored on the proxy server.
  - 21. A method according to claim 18, wherein the one or more encrypted fields comprises all user and domain information specified in the cookie.

22. An article of manufacture comprising a machine-accessible medium having content to provide instructions to result in a machine performing operations including:
- receiving a client request for an access to a network domain;
  
  authenticating the client with a non-cacheable, challenge-based authentication protocol at a proxy server, including the proxy server accessing a domain controller;
  
  issuing a cookie for the domain from the proxy server to the authenticated client; and
  
  authenticating the client at the proxy server with the cookie for an additional access to the domain.
- View Dependent Claims (23, 24)
- - 23. An article of manufacture according to claim 22, wherein the non-cacheable, challenge-based authentication protocol comprises an authentication protocol based on the NTLM (New Technology LAN (local area network) management) challenge-response authentication procedure.
  - 24. An article of manufacture according to claim 22, wherein the cookie specifies a domain and the client for which the cookie can be used for authentication.

25. A system comprising:
- a domain controller to manage a client account database, the client account database to store values associated with client credentials, the domain controller to verify client credentials with the values stored in the client account database to verify an identity of the client; and
  
  a caching server coupled to the domain controller, to receive from a client device having a network address network service request, pass credentials obtained from the client to the domain controller to authenticate the client, issue a cookie to the client to indicate the client has been authenticated, and authenticate the client for a network service request on the basis of the cookie.
- View Dependent Claims (26, 27)
- - 26. A system according to claim 25, wherein the network service request comprises an HTTP (HyperText Transfer Protocol) request for network content.
  - 27. A system according to claim 26, wherein the caching server to authenticate the client for the subsequent HTTP request comprises the caching server to determine if the cookie includes a valid cookie identifier and a client IP address that matches the network address of the client, and if the cookie has not expired.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Krishna, Ravi

Granted Patent

US 8,887,233 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/158
CPC Class Codes

H04L 63/0281 Proxies

H04L 63/08 for authentication of entit...

Cookie-based acceleration of an authentication protocol

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

268 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Cookie-based acceleration of an authentication protocol

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

268 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links