Method and apparatus for securing session information of users in a web application server environment

US 7,043,455 B1
Filed: 07/28/2000
Issued: 05/09/2006
Est. Priority Date: 07/28/2000
Status: Active Grant

First Claim

Patent Images

1. A method in a data processing system for managing an information request, comprising:

establishing a session, including authenticating a client based on a presented credential;

generating a session identification in response to the session being established;

associating the presented credential with session data;

sending the session identification to the client;

receiving a request for information and a credential and the session identification from the client;

determining whether the session identification is valid;

determining whether the credential is valid for both the client and the session data;

sending the information to the client in response to the session identification and the credential being valid.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for securing hypertext transfer protocol sessions authenticates a user'"'"'s credentials before creating a session. The present invention then associates the session with the credentials. Subsequent requests are submitted with the session ID and the user credentials to be associated with the session. Therefore, an unauthorized user that has obtained a session ID cannot gain access to sensitive content associated with the session without possessing the valid credentials.

Citations

37 Claims

1. A method in a data processing system for managing an information request, comprising:
- establishing a session, including authenticating a client based on a presented credential;
  
  generating a session identification in response to the session being established;
  
  associating the presented credential with session data;
  
  sending the session identification to the client;
  
  receiving a request for information and a credential and the session identification from the client;
  
  determining whether the session identification is valid;
  
  determining whether the credential is valid for both the client and the session data;
  
  sending the information to the client in response to the session identification and the credential being valid.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the credential is a user name and password, a security token, or a certificate.
  - 3. The method of claim 1, further comprising:
    - associating a user account with the session identification in response to the credential being valid.
  - 4. The method of claim 1, wherein the step of generating a session identification comprises generating a random number.
  - 5. The method of claim 1, wherein the step of generating a session identification comprises generating a session identification data structure.
  - 6. The method of claim 5, wherein the session identification data structure is a session identification cookie.
  - 7. The method of claim 5, wherein the session identification data structure is in a rewritten uniform resource locator.
  - 8. The method of claim 1, wherein the request is a hypertext transport protocol request.
  - 9. The method of claim 8, wherein the hypertext transport protocol request is a uniform resource locator.

10. A method in a data processing system for managing an information request, comprising:
- receiving a request for information and a session identification and a first credential from a client;
  
  determining whether the session identification is valid;
  
  retrieving a session data structure including a second credential in response to the session identification being valid;
  
  determining whether the first credential and the second credential match; and
  
  fulfilling the request for information in response to the first credential and the second credential matching.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein the first credential is a user name and password, a security token, or a certificate.
  - 12. The method of claim 10, wherein the step of generating a session identification comprises generating a random number.
  - 13. The method of claim 10, wherein the step of generating a session identification comprises generating a session identification data structure.
  - 14. The method of claim 13, wherein the session identification data structure is a session identification cookie.
  - 15. The method of claim 13, wherein the session identification data structure is in a rewritten uniform resource locator.
  - 16. The method of claim 10, wherein the request is a hypertext transport protocol request.
  - 17. The method of claim 16, wherein the hypertext transport protocol request is a uniform resource locator.

18. An apparatus for managing an information request, comprising:
- session means for establishing a session, including authenticating a client based on a presented credential;
  
  generating means for generating a session identification in response to the session being established;
  
  association means for associating the presented credential with session data;
  
  first sending means for sending the session identification to the client;
  
  receipt means for receiving a request for information and a credential and the session identification from the client;
  
  first determining means for determining whether the session identification is valid;
  
  second determining means for determining whether the credential is valid for both the client and the session data; and
  
  second sending means for sending the information to the client in response to the session identification and the credential being valid.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The apparatus of claim 18, wherein the credential is a user name and password, a security token, or a certificate.
  - 20. The apparatus of claim 18, further comprising:
    - association means for associating a user account with the session identification in response to the session identification being generated.
  - 21. The apparatus of claim 18, wherein the generating means comprises means for generating a random number.
  - 22. The apparatus of claim 18, wherein the generating means comprises means for generating a session identification data structure.
  - 23. The apparatus of claim 22, wherein the session identification data structure is a session identification cookie.
  - 24. The apparatus of claim 22, wherein the session identification data structure is in a rewritten uniform resource locator.
  - 25. The apparatus of claim 18, wherein the request is a hypertext transport protocol request.
  - 26. The apparatus of claim 25, wherein the hypertext transport protocol request is a uniform resource locator.

27. An apparatus for managing an information request, comprising:
- a processor; and
  
  a memory electrically connected to the processor, the memory having stored therein a program to be executed on the processor for performing;
  
  receiving a request for information and a session identification and a first credential from a client;
  
  determining whether the session identification is valid;
  
  retrieving a session data structure including a second credential in response to the session identification being valid;
  
  determining whether the first credential and the second credential match; and
  
  fulfilling the request for information in response to the first credential and the second credential matching.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
- - 28. The apparatus of claim 27, wherein the first credential is a user name and password, a security token, or a certificate.
  - 29. The apparatus of claim 27, wherein the step of generating a session identification comprises generating a random number.
  - 30. The apparatus of claim 27, wherein the step of generating a session identification comprises generating a session identification data structure.
  - 31. The apparatus of claim 30, wherein the session identification data structure is a session identification cookie.
  - 32. The apparatus of claim 30, wherein the session identification data structure is in a rewritten uniform resource locator.
  - 33. The apparatus of claim 27, wherein the request is a hypertext transport protocol request.
  - 34. The apparatus of claim 33, wherein the hypertext transport protocol request is a uniform locator.

35. A computer program product, in a computer readable medium, for managing an information request, comprising:
- instructions for establishing a session, including authenticating a client based on a presented credential;
  
  instructions for generating a session identification in response to the session being established;
  
  instructions for associating the presented credential with session data;
  
  instructions for sending the session identification to the client;
  
  instructions for receiving a request for information and a credential and the session identification from a client;
  
  instructions for determining whether the session identification is valid;
  
  instructions for determining whether the credential is valid for both the client and the session data;
  
  instructions for sending the information to the client in response to the session identification and the credential being valid.

36. A computer program product, in a computer readable medium, for managing an information request, comprising:
- instructions for receiving a request for information and a session identification and a first credential from a client;
  
  instructions for determining whether the session identification is valid;
  
  instructions for retrieving a session data structure including a second credential in response to the session identification being valid;
  
  instructions for determining whether the first credential and the second credential match; and
  
  instructions for fulfilling the request for information in response to the first credential and the second credential matching.

37. A method in a data processing system for managing an information request, comprising:
- authenticating a client based on a presented credential;
  
  generating a session identification in response to the client being authenticated;
  
  associating the presented credential with session data;
  
  sending the session identification to the client;
  
  receiving a request for information and a credential and the session identification from the client;
  
  determining whether the session identification is valid;
  
  determining whether the credential is valid for both the client and the session data; and
  
  sending the information to the client in response to the session identification and the credential being valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Montero, Gabriel Garcia, Nagaratnam, Nataraj, Fraenkel, Michael L., Cuomo, Gennaro A.
Primary Examiner(s)
Backer, Firmin

Application Number

US09/627,373
Time in Patent Office

2,111 Days
Field of Search

None
US Class Current

705/75
CPC Class Codes

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

H04L 63/08   for authentication of entit...

Method and apparatus for securing session information of users in a web application server environment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securing session information of users in a web application server environment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links