Session management in a stateless network system

US 6,490,624 B1
Filed: 07/28/1999
Issued: 12/03/2002
Est. Priority Date: 07/10/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of managing sessions in a stateless network system that includes a plurality of first servers each controlling access by one of a plurality of clients to resources of a plurality of second servers, comprising the steps of:

creating a session manager that is bound to at least one of the first servers;

receiving, at one of the first servers, a request of the client to obtain one of the resources of one of the second servers;

determining, at the session manager from information stored therein, whether the client is part of an authenticated session with any of the first servers;

granting the client access to the resource only when the information in the session manager indicates that the client is part of the authenticated session.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a system that controls access to information resources, a session manager in cooperation with a topology mechanism enables a client to securely interact with a plurality of access servers and associated runtime elements using a plurality of sessions that are coordinated and tracked. The information resources are stored on protected servers. Access to each of the protected servers is controlled by one of the access servers. Client session information is stored in a session manager that is bound to and associated with the runtime of the access server, and the topology mechanism. In operation, a user of a client or browser logs in to an access server and then submits a request for a resource of a protected server associated with a different access server. A runtime module on the access server receives the request and asks the session manager to validate the session. The session manager determines whether the client is involved in an authenticated session with any access server in the system. If so, the client is permitted to access the resources without logging in to the specific access server that is associated with the protected server. In this way, the client can access multiple resources of multiple protected servers, in a stateless network system, without logging in to each of the access servers that controls each of the protected servers.

Citations

31 Claims

1. A method of managing sessions in a stateless network system that includes a plurality of first servers each controlling access by one of a plurality of clients to resources of a plurality of second servers, comprising the steps of:
- creating a session manager that is bound to at least one of the first servers;
  
  receiving, at one of the first servers, a request of the client to obtain one of the resources of one of the second servers;
  
  determining, at the session manager from information stored therein, whether the client is part of an authenticated session with any of the first servers;
  
  granting the client access to the resource only when the information in the session manager indicates that the client is part of the authenticated session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 31)
- - 2. The method recited in claim 1, wherein the determining step comprises
3. The method recited in claim 1, comprising the steps of:
- determining, at the session manager from information stored therein and based on a session identifier that is generated by the one of the first servers and provided to the session manager, whether the session identifier is valid;
  
  determining, at the session manager, whether the client has failed to contact the any of the first servers within a pre-determined period of time; and
  
  granting the client access to the resource only when the session identifier indicates that the client is part of a valid session and the client has contacted the any of the first servers within the pre-determined period of time.
4. The method recited in claim 1, comprising the steps of:
- determining, at the session manager from information stored therein and based on a session identifier that is generated by the one of the first servers and provided to the session manager, whether the session identifier is valid;
  
  determining, at the session manager, whether the session identifier has been revoked;
  
  granting the client access to the resource only when the session identifier indicates that the client is part of a valid, un-revoked session.
5. The method recited in claim 1, further comprising the steps of:
- creating and storing a plurality of session managers, each session manager being associated with the at least one of the first servers, each session manager having a locally stored set of session information defining one or more valid sessions between the clients and the second servers; and
  
  synchronizing the session information of each of the session managers with the session information of all other session managers.
6. The method recited in claim 1, further comprising the steps of:
- creating and storing a plurality of session managers, each session manager being associated with the at least one of the first servers, each session manager having a locally stored set of session information defining one or more valid sessions between the clients and the second servers;
  
  when one of the session managers is created;
  
  receiving, at that session manager, a list of all other session managers that are online;
  
  synchronizing the session information of that session manager with each session manager in the list; and
  
  storing information in that session manager indicating that it is online.
7. The method recited in claim 1, further comprising the step of creating and storing, in association with each of the first servers, a monitoring element that monitors whether each of the first servers is bound to an associated session manager.
8. The method recited in claim 1, further comprising the steps of creating and storing a topology management element that communicates with all of the first servers and each of one or more session managers and determines whether each first server is bound to an associated session manager.
9. The method recited in claim 1, further comprising the steps of:
- creating and storing a topology management element that communicates with all of the first servers and each of one or more session managers and determines whether each first server is bound to an associated session manager;
  
  registering the one of the first servers with one of the session managers by creating and storing, in association with each of the first servers, a monitoring element that monitors whether each of the first servers is bound to an associated session manager;
  
  registering each of the session managers with the topology management element.
10. The method recited in claim 1, further comprising the steps of:
- creating and storing, in association with each of the first servers, a topology management element that monitors whether the at least one of the first servers is bound to a first session manager;
  
  using the topology management element, detecting a failure of the first session manager;
  
  at the one of the first servers, binding the at least one of the first servers to a second session manager;
  
  monitoring, with the topology management element, whether the at least one of the first servers is bound to the second session manager.
11. The method recited in claim 1, further comprising the steps of:
- creating and storing, in association with each of the first servers, a topology management element that monitors whether the at least one of the first servers is bound to a first session manager;
  
  using a first interceptor that is bound to the topology management element, detecting a failure of the first session manager, and in response thereto, deactivating the first session manager;
  
  using a second interceptor that is bound to the one of the first servers, detecting the failure of the first session manager, and in response thereto, at the one of the first servers, binding the at least one of the first servers to a second session manager;
  
  monitoring, with a third interceptor that is bound to the second session manager, whether the at least one of the first servers is bound to the second session manager.
31. The method recited in claim 1, further comprising the step of periodically purging information about one or more inactive sessions that are older than a predetermined time period.

12. A method of managing sessions in a stateless network system that includes a plurality of protected servers each controlling access by one of a plurality of clients to resources of a plurality of second servers, comprising the steps of:
- creating a session manager that is bound to at least one of the protected servers;
  
  receiving, at one of the protected servers, a request of the client to obtain one of the resources of one of the second servers;
  
  determining, at the session manager from information stored therein, whether the client is part of an authenticated session with any of the protected servers;
  
  when the information in the session manager indicates that the client is not part of an authenticated session, requesting and receiving session authentication information from an authentication mechanism that is coupled to the session manager;
  
  granting the client access to the resource only when the information in the session manager indicates that the client is part of the authenticated session.

13. A method of managing sessions in a stateless network system that includes a plurality of protected servers each controlling access by one of a plurality of clients to resources of a plurality of second servers, comprising the steps of:
- creating a session manager that is bound to at least one of the protected servers;
  
  creating and storing a topology management element that communicates with all of the protected servers and each of one or more session managers and determines whether each protected server is bound to an associated session manager;
  
  receiving, at one of the protected servers, a request of the client to obtain one of the resources of one of the second servers;
  
  determining, at the session manager from information stored therein, whether the client is part of an authenticated session with any of the protected servers;
  
  when the information in the session manager indicates that the client is not part of an authenticated session, requesting and receiving session authentication information from an authentication mechanism that is coupled to the session manager;
  
  granting the client access to the resource only when the information in the session manager indicates that the client is part of the authenticated session;
  
  using the topology management element, detecting a failure of a first session manager;
  
  at the one of the protected servers, binding the at least one of the protected servers to a second session manager;
  
  monitoring, with the topology management element, whether the at least one of the protected servers is bound to the second session manager.

14. An apparatus for managing sessions in a stateless network that includes a plurality of first servers each controlling access by one of a plurality of clients to resources of a plurality of second servers, the apparatus comprising:
- at least one session manager coupled to and associated with each one of the first servers and accessible over the network; and
  
  machine executable instructions stored in association with and executed by each of the session managers, wherein the instructions are configured to cause the session managers to carry out the steps of;
  
  receiving, at one of the first servers, a request of the client to obtain one of the resources of one of the second servers;
  
  determining, at the session manager from information stored therein, whether the client is part of an authenticated session with any of the first servers;
  
  granting the client access to the resource only when the information in the session manager indicates that the client is part of the authenticated session.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The apparatus recited in claim 14, further comprising a topology management element that communicates with all of the first servers and all of the session managers and determines whether each first server is bound to an associated session manager.
  - 16. The apparatus recited in claim 14, further comprising:
17. The apparatus recited in claim 14, further comprising:
- a topology management element that communicates with all of the first servers and all of the session managers and determines whether each first server is bound to an associated session manager; and
  
  instructions which, when executed by the one of the first servers, carry out the steps of;
  
  using the topology management element, detecting a failure of a first session manager;
  
  at the one of the first servers, binding at least one of the first servers to a second session manager;
  
  monitoring, with the topology management element, whether the at least one of the first servers is bound to the second session manager.
18. The apparatus recited in claim 14, further comprising:
- a topology management element that communicates with all of the first servers and all of the session managers and determines whether each first server is bound to an associated session manager; and
  
  instructions which, when executed by the one of the first servers, carry out the steps of;
  
  using a first interceptor that is bound to the topology management element, detecting a failure of a first session manager, and in response thereto, deactivating the first session manager;
  
  using a second interceptor that is bound to the one of the first servers, detecting the failure of the first session manager, and in response thereto, at the one of the first servers, binding at least one of the first servers to a second session manager;
  
  monitoring, with a third interceptor that is bound to the second session manager, whether the at least one of the first servers is bound to the second session manager.

19. A computer-readable medium carrying one or more sequences of instructions for managing sessions in a stateless network system that includes a plurality of first servers each controlling access by one of a plurality of clients to resources of a plurality of second servers, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- creating a session manager that is bound to at least one of the first servers;
  
  receiving, at one of the first servers, a request of the client to obtain one of the resources of one of the second servers;
  
  determining, at the session manager from information stored therein, whether the client is part of an authenticated session with any of the first servers;
  
  granting the client access to the resource only when the information in the session manager indicates that the client is part of the authenticated session.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 20. The computer-readable medium recited in claim 19, wherein the determining step comprises determining, at the session manager from information stored therein and based on a session identifier that is generated by the one of the first servers and provided to the session manager, whether the session identifier is valid;
    - and
21. The computer-readable medium recited in claim 19, the instructions comprising the steps of:
- determining, at the session manager from information stored therein and based on a session identifier that is generated by the one of the first servers and provided to the session manager, whether the session identifier is valid;
  
  determining, at the session manager, whether the client has failed to contact the any of the first servers within a pre-determined period of time; and
  
  granting the client access to the resource only when the session identifier indicates that the client is part of a valid session and the client has contacted the at least one of the first servers within the pre-determined period of time.
22. The computer-readable medium recited in claim 19, the instructions comprising the steps of:
- determining, at the session manager from information stored therein and based on a session identifier that is generated by the one of the first servers and provided to the session manager, whether the session identifier is valid;
  
  determining, at the session manager, whether the session identifier has been revoked;
  
  granting the client access to the resource only when the session identifier indicates that the client is part of a valid, un-revoked session.
23. The computer-readable medium recited in claim 19, the instructions further comprising the steps of:
- creating and storing a plurality of session managers, each session manager being associated with the at least one of the first servers, each session manager having a locally stored set of session information defining one or more valid sessions between the clients and the second servers; and
  
  synchronizing the session information of each of the session managers with the session information of all other session managers.
24. The computer-readable medium recited in claim 19, the instructions further comprising the steps of:
- creating and storing a plurality of session managers, each session manager being associated with the at least one of the first servers, each session manager having a locally stored set of session information defining one or more valid sessions between the clients and the second servers;
  
  when one of the session managers is created;
  
  receiving, at that session manager, a list of all other session managers that are online;
  
  synchronizing the session information of that session manager with each other session manager in the list; and
  
  storing information in that session manager indicating that it is online.
25. The computer-readable medium recited in claim 19, the instructions further comprising the step of creating and storing, in association with each of the first servers, a monitoring element that monitors whether each of the first servers is bound to an associated session manager.
26. The computer-readable medium recited in claim 19, the instructions further comprising the steps of creating and storing a topology management element that communicates with all of the first servers and each of one or more session managers and determines whether each first server is bound to an associated session manager.
27. The computer-readable medium recited in claim 19, the instructions further comprising the steps of:
- creating and storing a topology management element that communicates with all of the first servers and each of one or more session managers and determines whether each first server is bound to an associated session manager;
  
  registering the one of the first servers with one of the session managers by creating and storing, in association with each of the first servers, a monitoring element that monitors whether each of the first servers is bound to its associated session manager;
  
  registering each of the session managers with the topology management element.
28. The computer-readable medium recited in claim 19, the instructions further comprising the steps of:
- creating and storing, in association with each of the first servers, a topology management element that monitors whether the at least one of the first servers is bound to a first session manager;
  
  using the topology management element, detecting a failure of the first session manager;
  
  at the one of the first servers, binding the at least one of the first servers to a second session manager;
  
  monitoring, with the topology management element, whether the at least one of the first servers is bound to the second session manager.
29. The computer-readable medium recited in claim 19, the instructions further comprising the steps of:
- creating and storing, in association with each of the first servers, a topology management element that monitors whether the at least one of the first servers is bound to a first session manager;
  
  using a first interceptor that is bound to the topology management element, detecting a failure of the first session manager, and in response thereto, deactivating the first session manager;
  
  using a second interceptor that is bound to the one of the first servers, detecting the failure of the first session manager, and in response thereto, at the one of the first servers, binding the at least one of the first servers to a second session manager;
  
  monitoring, with a third interceptor that is bound to the second session manager, whether the at least one of the first servers is bound to the second session manager.

30. A computer-readable medium carrying one or more sequences of instructions for managing sessions in a stateless network system that includes a plurality of first servers each controlling access by one of a plurality of clients to resources of a plurality of second servers, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- creating a session manager that is bound to at least one of the first servers;
  
  receiving, at one of the first servers, a request of the client to obtain one of the resources of one of the second servers;
  
  determining, at the session manager from information stored therein, whether the client is part of an authenticated session with any of the first servers;
  
  when the information in the session manager indicates that the client is not part of an authenticated session, requesting and receiving session authentication information from an authentication mechanism that is coupled to the session manager;
  
  granting the client access to the resource only when the information in the session manager indicates that the client is part of the authenticated session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
Entrust Incorporated (Entrust Corp.)
Inventors
Belmonte, Emilio, Sampson, Lawrence C.
Primary Examiner(s)
VU, VIET DUY

Application Number

US09/363,315
Time in Patent Office

1,224 Days
Field of Search

709/202, 709/203, 709/217, 709/219, 709/223, 709/224, 709/225, 709/227, 709/228, 709/229, 713/201, 713/202
US Class Current

709/227
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/067   using one-time keys cryptog...

H04L 63/105   Multiple levels of security

Session management in a stateless network system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Session management in a stateless network system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links