Client Device Information for Controlling Access to Web Applications

US 20180082054A1
Filed: 09/19/2017
Published: 03/22/2018
Est. Priority Date: 09/19/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one client device comprising a first processing system having at least one processor,wherein the first processing system is configured to perform operations comprising;

executing a first client application within a web browser, the first client application providing a first client-side portion of a web application;

executing a second client application providing a second client-side portion of the web application; and

executing a service application configured to determine at least one piece of client identifying information and to provide the determined at least one piece of client identifying information to the first client application and to the second client application in response to respective requests,at the first client application and the second client application, obtaining the determined at least one piece of client identifying information from the service application, andat the first client application, transmitting a first request with the obtained at least one piece of client identifying information, andat the second client application, transmitting a second request with the obtained at least one piece of client identifying information; and

at least one server device comprising a second processing system having at least one processor,wherein the second processing system is configured to execute a server-side process of the web application and to perform operations comprising;

receiving the first request from the first client application and the second request from the second client application, the first request including a first client identifying information and the second request including second client identifying information;

determining whether the second client identifying information corresponds to the first client identifying information; and

performing a first action which includes enabling the first and second client applications to share a login session if the determining determines that the second client identifying information corresponds to the first client identifying information, and performing a second action which includes disabling a login session for at least one of the first and second client applications if the determining determines that the second client identifying information does not correspond to the first client identifying information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The described technology provides for plural application processes including at least one application in a browser to reliably acquire device information that can be used by other processes to accurately determine whether the plural applications are running on the same client device and/or are associated with aspects of the same client device. The more reliable determination of the devices associated with respective application processes can be used for various purposes such as, for example, user access management capabilities such as improved single sign-on (SSO) capability and/or improved multiple login prevention (MLP) capability.

20 Citations

View as Search Results

22 Claims

1. A system comprising:
- at least one client device comprising a first processing system having at least one processor,wherein the first processing system is configured to perform operations comprising;
  
  executing a first client application within a web browser, the first client application providing a first client-side portion of a web application;
  
  executing a second client application providing a second client-side portion of the web application; and
  
  executing a service application configured to determine at least one piece of client identifying information and to provide the determined at least one piece of client identifying information to the first client application and to the second client application in response to respective requests,at the first client application and the second client application, obtaining the determined at least one piece of client identifying information from the service application, andat the first client application, transmitting a first request with the obtained at least one piece of client identifying information, andat the second client application, transmitting a second request with the obtained at least one piece of client identifying information; and
  
  at least one server device comprising a second processing system having at least one processor,wherein the second processing system is configured to execute a server-side process of the web application and to perform operations comprising;
  
  receiving the first request from the first client application and the second request from the second client application, the first request including a first client identifying information and the second request including second client identifying information;
  
  determining whether the second client identifying information corresponds to the first client identifying information; and
  
  performing a first action which includes enabling the first and second client applications to share a login session if the determining determines that the second client identifying information corresponds to the first client identifying information, and performing a second action which includes disabling a login session for at least one of the first and second client applications if the determining determines that the second client identifying information does not correspond to the first client identifying information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system according to claim 1, wherein the second processing system is further configured to:
    - in response to the first request, return a session identifier to the first client application;
      
      in response to the second request, (A) provide the session identifier to the second client application if the determining determines that the second client identifying information corresponds to the first client identifying information, or (B) not provide the session identifier to the second client application if the determining determines that the second client identifying information does not correspond to the first client identifying information.
  - 3. The system according to claim 2, wherein the second processing system is further configured to provide for disabling a session represented by the session identifier if the determining determines that the second client identifying information does not correspond to the first client identifying information.
  - 4. The system according to claim 1, wherein the determined at least one piece of client identifying information comprises information unique to the first processing system.
  - 5. The system according to claim 4, wherein the service application obtains the information unique to the first processing system from an operating system of the first processing system, and wherein at least one of the first client application or the second client application has insufficient access privileges to obtain the information unique to the first processing system directly from the operating system.
  - 6. The system according to claim 1, wherein the determined at least one piece of identifying information is at least partly based upon a unique identifier of a hardware element or a software element in the first processing system.
  - 7. The system according to claim 1, wherein the determined at least one piece of client identifying information is at least partly based upon a unique identifier associated with a software element in the first processing system.
  - 8. The system according to claim 1, wherein the service application executes with a privilege level different from privilege levels of at least one of the first client application or the second client application.
  - 9. The system according to claim 1, wherein the service application is a HTTP server process, and wherein communication between the service application and the first client application is based upon HTTP and JSON.
  - 10. The system according to claim 9, wherein, upon startup, the service application automatically binds to a first available port by sequentially searching from a predetermined port.
  - 11. The system according to claim 9, wherein the communication includes a HTTP query which includes a request portion having included therein a timestamp.
  - 12. The system according to claim 11, wherein the first client application is further configured to, upon receiving a response to the HTTP query, compare a timestamp returned with the response against a current time and accept the response only if the time difference between the returned timestamp and the current time is less than a predetermined interval.
  - 13. The system according to claim 11, wherein a request parameter of the HTTP query is encrypted, and a command identifier in the HTTP query is not encrypted.

14. A method performed by a first processing system having at least one processor, the method comprising:
- running (A) a first client application within a web browser, the first client application providing a first client-side portion of a web application, (B) a second client application providing a second client-side portion of the web application, and (C) a service application configured to determine at least one piece of client identifying information and to provide the determined at least one piece of client identifying information to the first client application and to the second client application in response to respective requests,obtaining, by the first client application and the second client application, the determined at least one piece of client identifying information from the service application;
  
  transmitting to a server side process of the web application, by the first client application and the second client application, respective requests including the obtained at least one piece of client identifying information; and
  
  responsive to a response received from the server side process for the second request, determining further processing of at least one of the first client application or the second client application.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method according to claim 14, wherein the determined at least one piece of client identifying information comprises information unique to the first processing system.
  - 16. The method according to claim 15, wherein the service application obtains the information unique to the first processing system from an operating system of the first processing system, and wherein at least one of the first client application or the second client application has insufficient access privileges to obtain the information unique to the first processing system directly from the operating system.
  - 17. The method according to claim 14, wherein the service application is a HTTP server process, and wherein communication between the service application and the first client application is based upon HTTP and JSON.
  - 18. The method according to claim 17, wherein, upon startup, the service application automatically binds to a first available port by sequentially searching from a predetermined port, and wherein the communication includes a HTTP query which includes a request portion having included therein a timestamp.
  - 19. The method according to claim 18, wherein the first client application is further configured to, upon receiving a response to the HTTP query, compare a timestamp returned with the response against a current time and accept the response only if the time difference between the returned timestamp and the current time is less than a predetermined interval.

20. A non-transitory computer-readable storage device having stored therein instructions, that when executed by at least one processor of a first processing system, causes the first processing system to perform operations comprising:
- running (A) a first client application within a web browser, the first client application providing a first client-side portion of a web application, (B) a second client application providing a second client-side portion of the web application, and (C) a service application configured to determine at least one piece of client identifying information and to provide the determined at least one piece of client identifying information to the first client application and to the second client application in response to respective requests,obtaining, by the first client application and the second client application, the determined at least one piece of client identifying information from the service application;
  
  transmitting to a server side process of the web application, by the first client application and the second client application, respective requests including the obtained at least one piece of client identifying information; and
  
  responsive to a response received from the server side process for the second request, determining further processing of at least one of the first client application or the second client application.

21. A method performed by a server-side process of a web application executing on at least one processor of a first processing system in a server device, the method comprising:
- receiving, via a communication network and from at least one client device, a first request from the first client application and a second request from the second client application, the first request including a first client identifying information and the second request including second client identifying information;
  
  determining whether the second client identifying information corresponds to the first client identifying information and identifies a same client device; and
  
  performing a first action if the determining determines that the second client identifying information corresponds to the first client identifying information, and performing a second action, different from the first action, if the determining determines that the second client identifying information does not correspond to the first client identifying information.
- View Dependent Claims (22)
- - 22. The method according to claim 21, wherein the at least one processor of the first processing system is further configured to:
    - periodically transmit a character string to a service application executing on the at least one client device, andwherein the determining that the second client identifying information corresponds to the first client identifying information includes identifying the transmitted character string in the first client identifying information and the second client identifying information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nasdaq, Inc.
Original Assignee
Nasdaq, Inc.
Inventors
KHWAJA, Anis A., FAYERMAN, Dimitry, MITEVSKI, Vladimir

Granted Patent

US 11,216,551 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/44   Program or device authentic...

H04L 63/0428   wherein the data content is...

H04L 63/105   Multiple levels of security

H04L 67/02   based on web technology, e....

H04L 67/141   Setup of application sessio...

H04L 67/148   Migration or transfer of se...

Client Device Information for Controlling Access to Web Applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Client Device Information for Controlling Access to Web Applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links