Method and system for authorizing a client computer to access a server computer

US 7,089,585 B1
Filed: 08/29/2000
Issued: 08/08/2006
Est. Priority Date: 08/29/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method for authorizing a second client-based application on a client computer to access a service provided by a second server-based application based upon a previously provided authorization that authorized the client computer to use a first client-based application to access a service provided by the first server-based application comprising:

(a) receiving a request for authorizing the client computer to use said second client-based application to access the service provided by said second server-based application;

(b) wherein the service provided by said second server-based application is different than the service provided by said first server-based application;

(c) wherein the request for authorizing the client computer to use said second client-based application to access the service provided by said second server-based application originates from said first client-based application;

(d) in response to said request;

(i) determining a session length indicating a length of time said client computer has been authorized to access the service provided by said first server-based application;

(ii) calculating a hash value for an authorization ticket received from said first server-based application, said session length, and a secret shared between said client computer and said second server-based application, and(iii) transmitting a request for authorization to access the service provided by said second server-based application comprising said hash value, said authorization ticket, and said session length.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention includes a client computer, a first server computer, and a second server computer. The first server provides an authorization ticket containing a time stamp to the client computer when the client computer is authorized to access the first server. An elapsed time counter is started at the client computer when access is provided to the first server. When a request is received at the client computer to access the second server, the client computer determines the session length based upon the elapsed time counter. The client computer calculates a hash value for the authorization ticket, the session length, and a secret shared with the second server computer. The client computer transmits a login request to the second server including the authorization ticket, the session length, and the hash. The second server decrypts the authorization ticket and retrieves a copy of the shared secret. The second server executes a hash function on the authorization ticket, the session length, and the shared secret. The second server then compares the computed hash to the hash value received from the second client application. If the two hash values are identical, the second server retrieves the time stamp from the authorization ticket and adds the session length to the time stamp. The second server then compares the resulting value to the current time. If the resulting value and the current time are within a preset threshold value, the client computer is provided.

200 Citations

21 Claims

1. A computer-implemented method for authorizing a second client-based application on a client computer to access a service provided by a second server-based application based upon a previously provided authorization that authorized the client computer to use a first client-based application to access a service provided by the first server-based application comprising:
- (a) receiving a request for authorizing the client computer to use said second client-based application to access the service provided by said second server-based application;
  
  (b) wherein the service provided by said second server-based application is different than the service provided by said first server-based application;
  
  (c) wherein the request for authorizing the client computer to use said second client-based application to access the service provided by said second server-based application originates from said first client-based application;
  
  (d) in response to said request;
  
  (i) determining a session length indicating a length of time said client computer has been authorized to access the service provided by said first server-based application;
  
  (ii) calculating a hash value for an authorization ticket received from said first server-based application, said session length, and a secret shared between said client computer and said second server-based application, and(iii) transmitting a request for authorization to access the service provided by said second server-based application comprising said hash value, said authorization ticket, and said session length.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein said authorization ticket comprises a time stamp, and wherein determining a session length comprises subtracting said time stamp from an elapsed time counter to determine said session length.
  - 3. The method of claim 2, wherein said elapsed time counter is started when said authorization ticket is received from said first server-based application.
  - 4. The method of claim 3, wherein said authorization ticket is received from said first server-based application when said client computer is authorized to access the service provided by said first server-based application.
  - 5. The method of claim 1, wherein calculating a hash value comprises performing an MD5 hash of an authorization ticket received from said first server-based application, said session length, and a secret shared between said client computer and said second server-based application.
  - 6. The method of claim 1, further comprising:
    - starting a persistence timer when said first server-based application ceases providing a service to said client computer;
      
      determining whether said persistence timer has reached a predefined value prior to receiving a response from said second server-based application; and
      
      in response to determining that said persistence timer has reached a predefined value prior to receiving a response from said second server-based application, deleting said authorization ticket, said session length and said hash value from said client computer.
  - 7. The method of claim 6, further comprising:
    - in response to determining that said persistence timer has not reached a predefined value prior to receiving a response from said second server-based application, receiving said response from said second server-based application and displaying said response at said client computer.
  - 8. The method of claim 1, wherein said first server-based application is an instant messaging application that provides a different service than said second server-based application which is a Web application.
  - 9. A computer-controlled apparatus operative to perform the method of claim 1.
  - 10. A computer-controlled apparatus operative to perform the method of claim 2.
  - 11. A computer-readable medium containing computer-readable instructions which, when executed by a computer, perform the method of claim 1.
  - 12. A computer-readable medium containing computer-readable instructions which, when executed by a computer, perform the method of claim 2.

13. A computer-implemented method for authorizing a second client-based application on a client computer to access a service provided by a second server-based application based upon a previously provided authorization that authorized the client computer to use a first client-based application to access a service provided by the first server-based application, comprising:
- (a) receiving a request for authorizing the client computer to use said second client-based application to access the service provided by said second server-based application from said client computer comprising a hash value, an authorization ticket, and a session length;
  
  (b) wherein the service provided by said second server-based application is different than the service provided by said first server-based application;
  
  (c) computing a new hash value for said authorization ticket, said session length, and a copy of a secret shared between said client computer and said second server-based application;
  
  (d) determining whether said hash value received from said client computer is identical to said new hash value; and
  
  (e) in response to determining that said hash value received from said client computer is identical to said new hash value, authorizing said client computer to use said second client-based application to access the service provided by said second server-based application.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13, further comprising:
    - (e) in response to determining that said hash value received from said client computer is identical to said new hash value;
      
      (i) determining whether a sum of said session length and a time stamp received as part of said authorization ticket is within a preset threshold value of a current time; and
      
      (ii) in response to determining that the sum of said session length and said time stamp is within said preset threshold value, authorizing said client computer to access the service provided by said second server-based application.
  - 15. The method of claim 14, further comprising:
    - (f) in response to determining that said hash value received from said client computer is not identical to said new hash value, not authorizing said client computer to access the service provided by said second server-based application.
  - 16. The method of claim 15, further comprising:
    - (g) in response to determining that the sum of said session length and said time stamp is not within said preset threshold value, not authorizing said client computer to access the service provided by said second server-based application.
  - 17. A computer-controlled apparatus operative to perform the method of claim 13.
  - 18. A computer-controlled apparatus operative to perform the method of claim 14.
  - 19. A computer-readable medium containing computer-readable instructions which, when executed by a computer, perform the method of claim 13.
  - 20. A computer-readable medium containing computer-readable instructions which, when executed by a computer, perform the method of claim 14.
  - 21. The method of claim 13, wherein said first server-based application is an instant messaging application that provides a different service than said second server-based application which is a Web server application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dharmarajan, Baskaran
Primary Examiner(s)
Arani, Taghi T.

Application Number

US09/650,105
Time in Patent Office

2,170 Days
Field of Search

713/201, 713/100, 713/150, 714/42, 380/286, 370/401, 370/312, 370/332, 705/1, 705/400, 709/219, 709/229, 709/201, 726/3, 726 8- 10, 726/2, 726/21, 726/4
US Class Current

726/8
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/108 when the policy decisions a...

Method and system for authorizing a client computer to access a server computer

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

200 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Method and system for authorizing a client computer to access a server computer

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

200 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others