Method and an apparatus to validate a web session in a proxy server

US 20080289025A1
Filed: 07/17/2007
Published: 11/20/2008
Est. Priority Date: 05/18/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

upon receiving a message generated by an application server in response to an authentication request to initiate a web session from a client, generating a first message authentication code at a proxy server communicatively coupled between the application server and the client;

adding the first message authentication code and one or more timestamps to the message; and

sending the message from the proxy server to the client, wherein the client uses the first message authentication code and the one or more timestamps to request access to predetermined content during the web session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of a method and an apparatus to validate a web session in a proxy server have been presented. In one embodiment, a first message authentication code is generated at a proxy server communicatively coupled between an application server and a client upon receiving a message from the application server. The message is generated by the application server in response to an authentication request from the client to initiate a web session. The proxy server then adds the first message authentication code and one or more timestamps to the message. Then the proxy server may send the message to the client, wherein the client may use the first message authentication code and the one or more timestamps to request access to predetermined content during the web session.

78 Citations

View as Search Results

28 Claims

1. A method comprising:
- upon receiving a message generated by an application server in response to an authentication request to initiate a web session from a client, generating a first message authentication code at a proxy server communicatively coupled between the application server and the client;
  
  adding the first message authentication code and one or more timestamps to the message; and
  
  sending the message from the proxy server to the client, wherein the client uses the first message authentication code and the one or more timestamps to request access to predetermined content during the web session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - offloading service of the predetermined content from the application server to the proxy server; and
      
      using the proxy server to control access to the predetermined content by the client during the web session.
  - 3. The method of claim 1, further comprising:
    - during the web session, using the proxy server to compute a second message authentication code based on one or more previously obtained access control tokens in an access request from the client;
      
      using the proxy server to compare the second message authentication code computed against a third message authentication code in the access request;
      
      validating the third message authentication code in the access request if the second message authentication code matches the third message authentication code; and
      
      denying the access request if the second message authentication code is different from the third message authentication code.
  - 4. The method of claim 1, further comprising:
    - using the proxy server to check an access control token within an access request from the client to determine if the client is authorized to access the predetermined content during the web session.
  - 5. The method of claim 1, further comprising:
    - using the proxy server to serve the predetermined content to the client if a message authentication code within an access request from the client is validated and an access control token within the access request indicates that the client has been authorized to access the predetermined content.
  - 6. The method of claim 1, further comprising:
    - denying the client access to the predetermined content if a message authentication code within an access request from the client is invalid.
  - 7. The method of claim 1, further comprising:
    - denying the client access to the predetermined content if an access control token within an access request from the client indicates that the client is not authorized to access the predetermined content.
  - 8. The method of claim 1, further comprising:
    - using the proxy server to issue a set of updated credentials to the client during the web session, the set of updated credentials comprising at least one of an updated message authentication code, an updated timestamp, and updated access control tokens.
  - 9. The method of claim 1, wherein the predetermined content comprises static content.

10. A proxy server comprising:
- a network interface to communicatively couple to a network to receive a message generated by an application server in response to an authentication request from a client to initiate a web session; and
  
  an authentication module to add one or more timestamps to the message, wherein the authentication module comprises a message authentication code computation module to generate a first message authentication code for the message, wherein the authentication module is operable to add the first message authentication code to the message and the network interface is operable to send the message to the client via the network, wherein the client uses the first message authentication code and the one or more timestamps to request access to predetermined content during the web session.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The proxy server of claim 10, further comprising:
    - a content serving module to serve the predetermined content to the client during the web session, wherein the authentication module is further operable to control access to the predetermined content by the client during the web session.
  - 12. The proxy server of claim 10, wherein the authentication module is operable to issue a set of updated credentials to the client during the web session, the set of updated credentials comprising at least one of an updated message authentication code, an updated timestamp, and an updated access control token.
  - 13. The proxy server of claim 10, wherein the message authentication code computation module is further operable to compute a second message authentication code based on one or more access control tokens in an access request from the client and to compare the second message authentication code computed against a previously obtained message authentication code within the access request.
  - 14. The proxy server of claim 10, wherein the authentication module is operable to check an access control token within an access request from the client to determine if the client is authorized to access the predetermined content.
  - 15. The proxy server of claim 10, wherein the content serving module serves the predetermined content to the client if a message authentication code within an access request from the client is validated and an access control token within the access request indicates that the client has been authorized to access the predetermined content.
  - 16. The proxy server of claim 10, wherein the authentication module is operable to deny the client access to the predetermined content if a message authentication code within an access request from the client is invalid.
  - 17. The proxy server of claim 10, wherein the authentication module is operable to deny the client access to the predetermined content if an access control token within an access request from the client indicates that the client is not authorized to access the predetermined content.
  - 18. A system comprising the proxy server of claim 10, further comprising the application server and a backend server coupled to the application server.
  - 19. A system comprising the proxy server of claim 10, wherein the predetermined content comprises static content, and the system further comprises:
    - a repository coupled to the proxy server, to store the static content.

20. A machine-readable medium that provides instructions that, if executed by a processor, will cause the processor to perform operations comprising:
- upon receiving a message generated by an application server in response to an authentication request to initiate a web session from a client, generating a first message authentication code at a proxy server communicatively coupled between the application server and the client;
  
  adding the first message authentication code and one or more timestamps to the message; and
  
  sending the message from the proxy server to the client, wherein the client uses the first message authentication code and the one or more timestamps to request access to predetermined content during the web session.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The machine-readable medium of claim 20, wherein the operations further comprise:
    - offloading service of the predetermined content from the application server to the proxy server; and
      
      using the proxy server to control access to the predetermined content by the client during the web session.
  - 22. The machine-readable medium of claim 20, wherein the operations further comprise:
    - during the web session, using the proxy server to compute a second message authentication code based on one or more previously obtained access control tokens in an access request from the client;
      
      using the proxy server to compare the second message authentication code computed against a third message authentication code in the access request;
      
      validating the third message authentication code in the access request if the second message authentication code matches the third message authentication code; and
      
      denying the access request if the second message authentication code is different from the third message authentication code.
  - 23. The machine-readable medium of claim 20, wherein the operations further comprise:
    - using the proxy server to check an access control token within an access request from the client to determine if the client is authorized to access the predetermined content during the web session.
  - 24. The machine-readable medium of claim 20, wherein the operations further comprise:
    - using the proxy server to serve the predetermined content to the client if a message authentication code within an access request from the client is validated and an access control token within the access request indicates that the client has been authorized to access the predetermined content.
  - 25. The machine-readable medium of claim 20, wherein the operations further comprise:
    - denying the client access to the predetermined content if a message authentication code within an access request from the client is invalid.
  - 26. The machine-readable medium of claim 20, wherein the operations further comprise:
    - denying the client access to the predetermined content if an access control token within an access request from the client indicates that the client is not authorized to access the predetermined content.
  - 27. The machine-readable medium of claim 20, wherein the operations further comprise:
    - using the proxy server to issue a set of updated credentials to the client during the web session, the set of updated credentials comprising at least one of an updated message authentication code, an updated timestamp, and updated access control tokens.
  - 28. The machine-readable medium of claim 20, wherein the predetermined content comprises static content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James Paul

Granted Patent

US 8,489,740 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

Method and an apparatus to validate a web session in a proxy server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

78 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and an apparatus to validate a web session in a proxy server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links