METHOD AND SYSTEM FOR GLOBAL LOGOFF FROM A WEB-BASED POINT OF CONTACT SERVER

US 20080294781A1
Filed: 05/23/2007
Published: 11/27/2008
Est. Priority Date: 05/23/2007
Status: Active Grant

First Claim

Patent Images

1. A method, operative at a point of contact that serves as an intermediary between a client browser and one or more back end applications, wherein each back-end application has the capability to set its own server-side session management data with respect to the point of contact that is independent of any client-side session management data set by the point of contact and used by the point of contact to manage a user session, the method comprising:

as a back end application returns a response to a first request that has been issued from the client browser, associating with the server-side session management data given information that can be used to determine whether the server-side session management data is valid for a subsequent request, and forwarding to the client browser the response together with the server-side session management data and the given information; and

upon receipt of a new request that has associated therewith the server-side management data and the given information, determining whether the given information is valid and, if so, removing the given information from the server-side session management data and forwarding to the back-end application the new request, together with the server-side management data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method carried out at a point of contact (e.g., reverse proxy, a web server plug-in, or the like) that serves as an intermediary between a client browser and one or more back-end applications (or application component), wherein each back-end application has the capability to set its own server-side session management data with respect to the point of contact that is independent of any client-side session management data set by the point of contact and used by the point of contact to manage a user session. The method begins as a given back-end application returns a response to a first request that has been issued from the client browser (the first request having been received at the point of contact and passed to a back end application or component for processing). The point of contact intercepts the out-going response, augments server-side session management data associated therewith with a “stamp,” and forwards to the client browser the response together with the server-side session management data as augmented to include the stamp. The stamp provides a way for the point of contact to later determine whether the server-side session management data, if received with another user request, is valid for that request. Later, upon receipt at the point of contact of a new user request that includes the server-side session management data (and stamp), the point of contact uses the stamp to determine whether the new request is valid. If so, the point of contact removes the stamp from the server-side session management data and forwards the new request (and the management data) to the back-end application for handling.

Citations

23 Claims

1. A method, operative at a point of contact that serves as an intermediary between a client browser and one or more back end applications, wherein each back-end application has the capability to set its own server-side session management data with respect to the point of contact that is independent of any client-side session management data set by the point of contact and used by the point of contact to manage a user session, the method comprising:
- as a back end application returns a response to a first request that has been issued from the client browser, associating with the server-side session management data given information that can be used to determine whether the server-side session management data is valid for a subsequent request, and forwarding to the client browser the response together with the server-side session management data and the given information; and
  
  upon receipt of a new request that has associated therewith the server-side management data and the given information, determining whether the given information is valid and, if so, removing the given information from the server-side session management data and forwarding to the back-end application the new request, together with the server-side management data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 23)
- - 2. The method as described in claim 1 wherein the server-side session management data is a data string set by a back-end application, and the given information is a validity stamp derived as a given function of the data string.
  - 3. The method as described in claim 2 wherein the given function is a hash of the data string concatenated with a given value.
  - 4. The method as described in claim 3 wherein the given value is a one-time use value associated with a given user session initiated from the client browser.
  - 5. The method as described in claim 3 wherein the step of determining whether the given information is valid determines whether the stamp can be re-created from the data string and a current point of contact one-time use value for a current user session.
  - 6. The method as described in claim 1 wherein the point of contact is a reverse proxy.
  - 7. The method as described in claim 1 wherein the point of contact is a server plug-in.
  - 8. A computer-readable medium having computer-executable instructions for performing the method steps of claim 1.
  - 9. A server comprising a processor, and a computer-readable medium, the computer-readable medium having processor-executable instructions for performing the method steps of claim 1.
  - 23. A proxy comprising a processor, and a computer-readable medium, the computer-readable medium having processor-executable instructions for performing the method steps of claim 1.

10. In a point of contact that serves as an intermediary between a client browser and a one or more back end applications, wherein each back-end application has the capability to set its own server-side session management data with respect to the point of contact that is independent of any client-side session management data set by the point of contact and used by the point of contact to manage a user session initiated from the client browser, wherein server-side session management data has the capability of being reused by a second end user through the client browser after a first end user has logged off, the improvement comprising:
- as the first end user interacts with the back end application during the user session, associating given information with the server-side session management data returned from the point of contact; and
  
  as the second end user attempts to interact with the back end application after the first end user has logged off, using the given information to determine whether the second user obtains access to the first end user'"'"'s resources at the back-end application.

11. Apparatus, comprising:
- a manager component that serves as an intermediary between a client browser and one or more back end applications, wherein each back end application has the capability to set its own server-side session management data; and
  
  a computer readable medium having program code executable by a processor to perform the following method steps;
  
  as a back end application returns a response to a first request that has been issued from the client browser, associating with the server-side session management data given information that can be used to determine whether the server-side session management data is valid for a subsequent request, and forwarding to the client browser the response together with the server-side session management data and the given information; and
  
  upon receipt of a new request that has associated therewith the server-side management data and the given information, determining whether the given information is valid and, if so, removing the given information from the server-side session management data and forwarding to the back-end application the new request, together with the server-side session management data.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The apparatus as described in claim 11 wherein the server-side session management data is a session cookie set by a back-end application, and the given information is a validity stamp derived as a given function of the session cookie.
  - 13. The apparatus as described in claim 12 wherein the given function is a hash of the session cookie concatenated with a given value.
  - 14. The apparatus as described in claim 13 wherein the given value is a one-time use value associated with a given user session initiated from the client browser.
  - 15. The apparatus as described in claim 13 wherein the step of determining whether the given information is valid determines whether the stamp can be re-created from the session cookie and a current point of contact one-time use value for a current user session.
  - 16. The apparatus as described in claim 11 wherein the manager component performs an authentication function.
  - 17. The apparatus as described in claim 11 wherein the manager component performs an authorization function.
  - 18. The apparatus as described in claim 11 wherein the program code executes in a reverse proxy.
  - 19. The apparatus as described in claim 11 wherein the program code executes in a server plug-in.

20. A method, operative at a point of contact that serves as an intermediary between a client browser and one or more back-end applications, comprising:
- as a back end application returns a response to a first request that has been issued from the client browser, stamping a session cookie set by the back end application and forwarding to the client browser the response together with the stamped session cookie; and
  
  upon receipt of a new request that has associated therewith the stamped session cookie, forwarding to the back end application the new request together with the session cookie if the stamped session cookie is determined to be valid.
- View Dependent Claims (21, 22)
- - 21. The method as described in claim 20 wherein the stamped session cookie is determined to be valid if;
    - upon receipt of the new request, the stamped session cookie can be generated from a current one-time use value associated with a current user session.
  - 22. A computer-readable medium having computer-executable instructions for performing the method steps of claim 20.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hinton, Heather Maria, Moran, Anthony Scott, Harmon, Benjamin Brewer

Granted Patent

US 9,800,614 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/227
CPC Class Codes

G06F 16/2365   Ensuring data consistency a...

G06F 16/24552   Database cache management

G06F 16/27   Replication, distribution o...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/20   for managing network securi...

H04L 9/3213   using tickets or tokens, e....

METHOD AND SYSTEM FOR GLOBAL LOGOFF FROM A WEB-BASED POINT OF CONTACT SERVER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR GLOBAL LOGOFF FROM A WEB-BASED POINT OF CONTACT SERVER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links