Authenticating user access to a network server without communicating user authentication cookie to the network server

US 7,016,960 B2
Filed: 04/30/2003
Issued: 03/21/2006
Est. Priority Date: 07/08/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method of granting access to a network server, the method comprising:

receiving a request by a user to gain access to the network server through an Internet browser operated by the user;

generating a request to authenticate the user;

communicating the request to an authentication server;

receiving a message from the authentication server indicating whether the user is authenticated, wherein;

the authentication server provides a cookie to the Internet browser operated by the user if the user is authenticated by the authentication server; and

the cookie cannot be read by the network server;

granting access to the user if the user is authenticated by the authentication server, wherein granting access comprises redirecting the Internet browser to the network server; and

denying access to the user if the user is not authenticated by the authentication server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system determines whether to grants access to a network server by a user. Initially, a user attempts to gain access to a network server, such as a web server. Prior to granting access to the network server, the network server authenticates the user by sending an authentication request to an authentication server. The authentication server determines whether the user was already authenticated by the authentication server. If the user was already authenticated by the authentication server, then the network server is notified that the user is authenticated. The network server then grants the user access to the network server. If the user was not already authenticated by the authentication server, then login information is retrieved from the user and compared to authentication information maintained by the authentication server. If the retrieved login information matches the authentication information, then the network server is notified that the user is authenticated. The retrieved login information and the authentication information is concealed from the network server. If the user is authenticated, then a user profile is communicated to the network server along with the notification that the user is authenticated. If the user is successfully authenticated, then a cookie is provided to an Internet browser operated by the user. The cookie contains information regarding user authentication, the user'"'"'s profile, and a list of network servers previously visited by the user.

Citations

19 Claims

1. A method of granting access to a network server, the method comprising:
- receiving a request by a user to gain access to the network server through an Internet browser operated by the user;
  
  generating a request to authenticate the user;
  
  communicating the request to an authentication server;
  
  receiving a message from the authentication server indicating whether the user is authenticated, wherein;
  
  the authentication server provides a cookie to the Internet browser operated by the user if the user is authenticated by the authentication server; and
  
  the cookie cannot be read by the network server;
  
  granting access to the user if the user is authenticated by the authentication server, wherein granting access comprises redirecting the Internet browser to the network server; and
  
  denying access to the user if the user is not authenticated by the authentication server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method as recited in claim 1 wherein the network server is a web server coupled to the Internet.
  - 3. A method as recited in claim 1 further including:
    - receiving a user profile from the authentication server if the user is authenticated by the authentication server.
  - 4. A method as recited in claim 1 wherein the network server provides a second cookie to the Internet browser operated by the user if the user is authenticated by the authentication server, wherein the second cookie contains user authentication information.
  - 5. A method as recited in claim 1 wherein the network server provides a second cookie to the Internet browser operated by the user if the user is authenticated by the authentication server, wherein the second cookie contains user profile information.
  - 6. One or more computer-readable memories containing a computer program that is executable by a processor to perform the method recited in claim 1.

7. One or more computer-readable media having stored thereon a computer program comprising the following steps:
- receiving a request by a user to gain access to a network server via an Internet browser operated by the user;
  
  generating a request to authenticate the user;
  
  communicating the request to an authentication server;
  
  receiving a message from the authentication server indicating whether the user is authenticated;
  
  receiving a user profile from the authentication server if the user is authenticated by the authentication server,granting access to the user if the user is authenticated by the authentication server, wherein granting access comprises redirecting the Internet browser to the network server;
  
  providing a cookie to the Internet browser operated by the user if the user is authenticated by the authentication server, wherein the cookie is provided by the authentication server and cannot be read by the network sewer; and
  
  denying access to the user if the user is not authenticated by the authentication server.
- View Dependent Claims (8, 9)
- - 8. One or more computer-readable media as recited in claim 7 further comprising:
    - providing a second cookie to the Internet browser operated by the user if the user is authenticated by the authentication server, wherein the second cookie contains user authentication information.
  - 9. One or more computer-readable media as recited in claim 7 further comprising:
    - providing a second cookie to the Internet browser operated by the user if the user is authenticated by the authentication server, wherein the second cookie contains user profile information.

10. One or more computer-readable media having stored thereon a computer program including instructions for a computer process comprising:
- receiving a request at an authentication server to authenticate a user, responsive to a request by the user to gain access to a network server through a browser being operated by the user;
  
  if the user has not already been authenticated by the authentication server prior to receipt of the request by the authentication server, receiving user login information from the user, wherein communication of the user login information from the user to the authentication server bypasses the network server;
  
  transmitting a message from the authentication server indicating whether the user is authenticated, wherein the network server grants the user access to the network server based on the message if the user is authenticated by the authentication server and the network server denies the user access to the network server based on the message if the user is not authenticated by the authentication server;
  
  providing a cookie to the browser operated by the user if the user is authenticated by the authentication server, wherein the cookie is provided by the authentication server and cannot be read by the network server; and
  
  redirecting the browser to the network server if the user is authenticated by the authentication server.
- View Dependent Claims (11, 12, 13)
- - 11. One or more computer-readable media as recited in claim 10 further comprising:
    - providing a second cookie to the browser operated by the user if the user is authenticated by the authentication server, wherein the second cookie contains user authentication information.
  - 12. One or more computer-readable media as recited in claim 10 further comprising:
    - providing a second cookie to the browser operated by the user if the user is authenticated by the authentication server, wherein the second cookie contains user profile information.
  - 13. One or more computer-readable media as recited in claim 10 further comprising:
    - transmitting a user profile from the authentication server if the user is authenticated by the authentication server.

14. A system for authenticating a user attempting to access a first network server via a browser operating on a client computer, the system comprising an authentication server that receives a request to access the first network server by the user and redirects the browser back to the first network server after the user is authenticated, wherein the authentication server sends a message to the first network server indicating that the user has been authenticated, and sends a cookie to the client computer, the cookie not being readable by the first network server.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. A system as recited in claim 14 wherein the authentication server determines if a most recent authentication of the user is within a timeout period designated by the first network server, the most recent authentication corresponding to authentication of the user with respect to a second network server.
  - 16. A system as recited in claim 14 wherein the authentication server sends a message to the first network server indicating that the user has been authenticated, and the network server responsively sends a second cookie to the client computer, the second cookie indicating that the user has been authenticated and a period of time during which the authentication is valid.
  - 17. A system as recited in claim 16 wherein when the user logs out, the authentication server requests the first network server to delete cookies placed by the first network server on the client computer.
  - 18. A system as recited in claim 14 wherein the authentication server accesses a cross-reference table that correlates a login identifier of the user with a plurality of different login identifiers, each of the different login identifiers being associated with one of a plurality of network servers.
  - 19. A system as recited in claim 14 wherein the authentication server generates a third cookie that includes a list of a plurality of network servers that the user has visited, the plurality of network servers including the first network server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kunins, Jeffrey C., Howard, John Hal, Metral, Max E., Battle, Ryan W., Anderson, Darren L.
Primary Examiner(s)
Luu, Le Hien

Application Number

US10/427,080
Publication Number

US 20030204610A1
Time in Patent Office

1,056 Days
Field of Search

709/225, 709/227, 709/229, 709/201, 709/224, 370/338, 380/244, 705/27
US Class Current

709/225
CPC Class Codes

G06F 21/31   User authentication

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/168   above the transport layer

Authenticating user access to a network server without communicating user authentication cookie to the network server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Authenticating user access to a network server without communicating user authentication cookie to the network server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links