HTTP AUTHENTICATION AND AUTHORIZATION MANAGEMENT

US 20100024014A1
Filed: 07/24/2008
Published: 01/28/2010
Est. Priority Date: 07/24/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, comprising:

receiving at a processing node a first request for a domain from a client browser, the client browser associated with a first communication address;

identifying a first authorized user data associated with the first request;

identifying at the processing node the first communication address associated with the client browser;

associating at the processing node the first communication address of the client browser with the first authorized user data;

encrypting at the processing node the first authorized user data and the associated first communication address to generate a first associated authorization data; and

providing the first associated authorization data to the client browser at the first communication address.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include a source processor that is used to identify the source associated with a request for authentication or authorization. The source processor can maintain the initial source associated with the request through the use of an association token. The associate token can be transmitted with each subsequent request that includes authentication or authorization data. The source processor can use the associate token to verify that the source associated with the initial request is the same as the source associated with subsequent authentication and authorization requests.

83 Citations

View as Search Results

19 Claims

1. A computer implemented method, comprising:
- receiving at a processing node a first request for a domain from a client browser, the client browser associated with a first communication address;
  
  identifying a first authorized user data associated with the first request;
  
  identifying at the processing node the first communication address associated with the client browser;
  
  associating at the processing node the first communication address of the client browser with the first authorized user data;
  
  encrypting at the processing node the first authorized user data and the associated first communication address to generate a first associated authorization data; and
  
  providing the first associated authorization data to the client browser at the first communication address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the request is an http request.
  - 3. The method of claim 1, wherein receiving at a processing node a first request from a client browser comprises receiving at a processing node a first request for a domain from a client browser identifiable by a communication address.
  - 4. The method of claim 1, wherein the first communication address of the client browser is a port address.
  - 5. The method of claim 1, wherein the first associated authorization data is an http cookie.
  - 6. The method of claim 1, wherein the authorized user data is based on authentication data for a user.
  - 7. The method of claim 1, further comprising:
    - receiving at the processing node a second request for a domain, and a second associated authorization data;
      
      decrypting at the processing node the second associated authorization data into a second authorized user data and a second communication address;
      
      determining whether the second communication address is the same as the first communication address; and
      
      if the second communication address is the same as the first communication address, allowing the request;
      
      if the second communication address is not the same as the first communication address, requesting user authorization from the client browser at the second communication address.
  - 8. The method of claim 7, wherein requesting user authorization comprises:
    - requesting user authentication from the client browser at the second communication address; and
      
      generating authorized user data based on the requested user authentication.

9. Software stored in a computer readable medium and comprising instructions executable by a data processing system and upon such execution cause the data processing system to perform operations comprising:
- receiving a request for a domain from a client browser, the client browser associated with a communication address;
  
  identifying authorized user data associated with the request;
  
  identifying the communication address associated with the client browser;
  
  associating the communication address of the client browser with the authorized user data;
  
  encrypting the authorized user data and the associated first communication address to generate a associated authorization data; and
  
  providing the associated authorization data to the client browser at the communication address.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The software of claim 9, wherein the communication address is a port address.
  - 11. The software of claim 9, wherein the request is an http request.
  - 12. The software of claim 9, wherein the associated authorization data is received in the form of an http cookie.
  - 13. The software of claim 9, wherein the authorized user data is based on authentication data.

14. Software stored in a computer readable medium and comprising instructions executable by a data processing system and upon such execution cause the data processing system to perform operations comprising:
- receiving a request for a domain and associated authorization data from a client browser, the client browser associated with a request communication address;
  
  identifying the request communication address associated with the client browser;
  
  decrypting the associated authorization data into authorized user data and a source communication address;
  
  determining whether the request communication address is the same as the source communication address; and
  
  if the request communication address is the same as the source communication address, allowing the request; and
  
  if the request communication address is not the same as the source communication address, requesting user authorization from the client browser at the request communication address.

15. A network security system, comprising:
- a plurality of nodes external to network edges of an external system, each node comprising;
  
  a source processor configured to receive at a processing node a first request for a first domain from a first client browser, the first client browser associated with a first communication address;
  
  identify a first authorized user data associated with the first request;
  
  identify at the processing node the first communication address associated with the first client browser;
  
  associate at the processing node the first communication address of the first client browser with the first authorized user data;
  
  encrypt at the processing node the first authorized user data and the first associated first communication address to generate a first associated authorization data; and
  
  provide the first associated authorization data to the first client browser at the first communication address.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, the source processor further configured to:
    - receives a second request for a second domain and second associated authorization data from a second client browser, the second client browser associated with a second communication address;
      
      identify a second communication address associated with the second client browser;
      
      decrypts the second associated authorization data into second authorized user data and the second communication address;
      
      determine whether the second communication address is the same as the first communication address;
      
      if the second communication address is the same as the first communication address, allow the second request;
      
      if the second communication address is not the same as the first communication address, request user authorization from the second client browser at the second communication address.
  - 17. The system of claim 16, wherein the first domain and the second domain are the same domain.
  - 18. The system of claim 16, wherein the source processor is further configured to encrypt the associated authorization data using a private key that is generated at the processing node.
  - 19. The system of claim 16, wherein the source processor is further configured to decrypt the associated authorization data using a public key that is generated at the processing node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
SafeChannel, Inc.
Inventors
Kailash, Kailash, Mullick, Amarnath, Raphel, Jose, Nanjundaswamy, Shashidhara Mysore

Granted Patent

US 9,379,895 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 9/3213   using tickets or tokens, e....

HTTP AUTHENTICATION AND AUTHORIZATION MANAGEMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

HTTP AUTHENTICATION AND AUTHORIZATION MANAGEMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links