System and method for providing secure URL-based access to private resources

US 6,360,254 B1
Filed: 03/30/1999
Issued: 03/19/2002
Est. Priority Date: 09/15/1998
Status: Expired due to Term

First Claim

Patent Images

1. In a Web site system in which different users are provided access to different private resources, a computer-implemented method of providing a user secure access to a private resource over a publicly-accessible network without requiring the user to enter authentication information, the method comprising:

obtaining an email address of the user;

generating a token using a token generation method that distributes tokens substantially randomly over a token space, the token space selected to be sufficiently large to inhibit identification of a valid token by trial and error, wherein generating the token comprises generating a token value of at least 64 bits;

combining the token and a predefined character string to form a uniform resource locator (URL) which corresponds to the private resource;

generating an email message which includes the URL, and transmitting the email message to the email address of the user; and

in response to receiving a request for the URL over the publicly-accessible network from a user, accessing the resource without requiring the user to enter authentication information.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a Web site system in which different private records or other resources are personal to different users, a method is provided for allowing users to securely access a private resource without the need to enter a username, password, or other authentication information, and without the need to download special authentication software or data to the user'"'"'s computer. Each resource is assigned a private uniform resource locator (URL) which includes a fixed character string and a unique token, and the URLs are conveyed by email (preferably using hyperlinks) to users that are entitled to access such resources. The tokens are generated using a method which distributes the tokens substantially randomly over the range of allowable token values (“token space”). The token space is selected to be sufficiently large relative to the expected number of valid tokens to inhibit the identification of valid tokens through trial and error. When a user attempts to access a private URL (such as to access a private account information page), a token validation program is used to determine whether the token is valid. The method may be used to provide users secure to access private account information on the Web site of merchant. Other practical applications include electronic gift certificate and coupon redemption, gift registries, order confirmation electronic voting, and electronic greeting cards.

796 Citations

36 Claims

1. In a Web site system in which different users are provided access to different private resources, a computer-implemented method of providing a user secure access to a private resource over a publicly-accessible network without requiring the user to enter authentication information, the method comprising:
- obtaining an email address of the user;
  
  generating a token using a token generation method that distributes tokens substantially randomly over a token space, the token space selected to be sufficiently large to inhibit identification of a valid token by trial and error, wherein generating the token comprises generating a token value of at least 64 bits;
  
  combining the token and a predefined character string to form a uniform resource locator (URL) which corresponds to the private resource;
  
  generating an email message which includes the URL, and transmitting the email message to the email address of the user; and
  
  in response to receiving a request for the URL over the publicly-accessible network from a user, accessing the resource without requiring the user to enter authentication information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the resource comprises personal account information stored in a database, and accessing the resource comprises returning to the user a private Web page which includes the account information.
  - 3. The method of claim 2, wherein the account information includes a subscription profile for an email-based subscription service, and the private Web page includes an electronic form for modifying the subscription profile.
  - 4. The method of claim 1, wherein accessing the resource comprises transmitting to the user a Web page that contains an electronic greeting card created for the user by another user.
  - 5. The method of claim 1, wherein accessing the resource comprises updating a database to indicate that the private URL was accessed.
  - 6. The method of claim 5, wherein updating the database comprises crediting an account of the user with a monetary amount.
  - 7. The method of claim 5, wherein updating the database comprises confirming an order.
  - 8. The method of claim 5, wherein updating the database comprises recording a vote placed by the user.
  - 9. The method of claim 1, wherein accessing the resource comprises accessing a gift registry of another user.
  - 10. The method of claim 1, wherein generating the token comprises using at least one of an encryption algorithm and a pseudo-random number generation algorithm.
  - 11. The method of claim 1, generating the token comprises encoding the email address of the user within token, and accessing the resource comprises extracting the email address from the token to identify the user.
  - 12. The method of claim 1, further comprising storing the token in a table which maps valid tokens to user identifiers, and wherein accessing the resource comprises accessing the table to identify the user.
  - 13. The method of claim 1, further comprising invalidating the private URL after at least one of (a) a single use, and (b) a predetermined period of time.
  - 14. The method of claim 1, wherein generating the token comprises encoding a timestamp within the token.
  - 15. The method of claim 1, wherein generating the token is performed automatically in response to an electronic form submission by the user.

16. A computer system for providing secure Web-based access to private resources over a publicly-accessible network without requiring users to enter authentication information, comprising:
- a database which includes a plurality of private records, wherein different private records correspond to different users; and
  
  a server system which communicates with Web clients over the publicly-accessible network to provide restricted user access to the private records, the server system including a server application that (a) generates tokens which correspond to specific private records such that outstanding tokens are distributed substantially randomly over a token space, wherein each of said tokens comprises at least 64 bits, (b) generates private uniform resource locators (URLs) which include the tokens, (c) transmits the private URLs to corresponding users to enable the users to access corresponding private records, and (d) validates tokens received from Web clients in URL requests;
  
  wherein the server system responds to a URL request which includes a valid token by returning information contained in a private record which corresponds to the token, without requiring user entry of authentication information.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The computer system of claim 16, wherein the server application distributes the tokens over a token space which is sufficiently large to inhibit the identification of valid tokens by trial-and-error.
  - 18. The computer system of claim 16, wherein the server application generates the tokens using at least one of an encryption algorithm and a pseudo-random number generation algorithm.
  - 19. The computer system of claim 16, wherein the server system conveys the URLs to the users over the publicly-accessible network by email.
  - 20. The computer system of claim 16, further comprising a table which maps tokens to private records, the table stored in memory and accessed by the server application.
  - 21. The computer system of claim 16, wherein the server application encodes email addresses within the tokens, and extracts the email addresses from received tokens to determine whether the tokens are valid.
  - 22. The computer system of claim 16, wherein the server application invalidates a token after at least one of (a) a single use, or (b) a predetermined period of time.
  - 23. The computer system of claim 16, wherein the server system responds to a private URL that includes a valid token by generating and returning a private Web page.
  - 24. The computer system of claim 23, wherein the server system implements an email-based subscription service in which the tokens are used to provide secure access to private Web pages that allow users to modify personal subscription profiles.
  - 25. The computer system of claim 16, wherein the server system implements a gift registry system in which the private URLs provide access to private gift registries.
  - 26. The computer system of claim 16, wherein the server system implements an electronic gift certificate system in which the tokens are used to redeem electronic gift certificates.
  - 27. The computer system of claim 16, wherein the server system implements an electronic greeting card system in which the tokens are used to provide secure access to private greeting card Web pages.
  - 28. The computer system of claim 16, wherein the server system implements an electronic voting system wherein a request for a private URL represents a vote by a user.
  - 29. The computer system of claim 16, wherein the server system implements an electronic coupon system in which the private URLs provide one-time-use discounts to users.

30. In a Web site system of a merchant, a computer-implemented method of providing customized information to a user about products and/or services available from the merchant, comprising:
- obtaining an email address and a subscription profile from the user, the subscription profile indicating product and/or service categories selected by the user;
  
  transmitting to the user at least one email document which contains descriptions of products and/or services, the descriptions selected based on the subscription profile;
  
  generating and transmitting to the user a private uniform resource locator (URL) which provides access to a private Web page for at least securely revising the subscription profile, the URL containing a token which is generated using a method which distributes tokens substantially randomly over a token space; and
  
  responding to a client request for the private URL by returning the private Web page without requiring entry of authentication information.
- View Dependent Claims (31, 32, 33, 34, 35, 36)
- - 31. The method of claim 30, wherein transmitting the private URL to the user comprises transmitting the URL by email.
  - 32. The method of claim 30, wherein the method is performed without requiring the user to submit or specify any information other than the email address and the selected categories of products and/or services.
  - 33. The method of claim 30, wherein generating the private URL comprises using at least one of an encryption algorithm and a pseudo-random number generation algorithm to generate the token.
  - 34. The method of claim 30, wherein generating the private URL comprises encoding the email address of the user within token, and wherein responding to the client request comprises extracting the email address from the token.
  - 35. The method of claim 30, wherein generating the private URL comprises encoding a time value within the token, and wherein responding to the client request comprises using the time value to determine whether the private URL has expired.
  - 36. The method of claim 30, wherein generating the private URL comprises generating a token value which contains at least 64 bits.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon.com Holdings LLC (Amazon.com, Inc.)
Inventors
Linden, Gregory D., Snodgrass, Ryan J., McDaniel, Michael D., Spiegel, Joel R.
Primary Examiner(s)
VU, VIET DUY

Application Number

US09/280,513
Time in Patent Office

1,085 Days
Field of Search

709/203, 709/206, 709/217, 709/219, 709/223, 709/224, 709/225, 709/313, 709/329, 713/201
US Class Current

709/219
CPC Class Codes

G06F 16/955   using information identifie...

G06F 21/31   User authentication

G06F 21/6245   Protecting personal data, e...

G06F 2221/2151   Time stamp

H04L 63/0807   using tickets, e.g. Kerbero...

System and method for providing secure URL-based access to private resources

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

796 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing secure URL-based access to private resources

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

796 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links