Secure session management and authentication for web sites

US 7,216,236 B2
Filed: 03/16/2001
Issued: 05/08/2007
Est. Priority Date: 11/30/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method of secure session management and authentication between a web site and a web client, said web site having secure and non-secure web pages, said method comprising the steps of:

a) utilizing a non-secure communication protocol and a session cookie when said web client requests access to said non-secure web pages;

b) utilizing a secure communication protocol and creating an authcode cookie when said web client requests access to said secure web pages, so that utilizations of said authcode cookie are interspersed between utilizations of said session cookie, and at least some utilizations of said session cookie take place after utilizations of said authcode cookie;

c) requesting said session cookie from said web client whenever said web client requests access to said non-secure web pages and verifying said requested session cookie;

d) requesting said authcode cookie from said web client whenever said web client requests access to said secure web pages and verifying said requested authcode cookie; and

wherein said method also comprises alternating between said secure communication protocol and said non-secure communication protocol when said web client alternates requests for access to said secure web pages and said non-secure web pages, respectively, and also repeatedly alternating between said utilizations of said authcode and said utilizations of said session code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention comprises a system and method for secure session management and authentication between web sites and web clients. The method includes both secure and non-secure communication protocols, means for switching between secure and non-secure communication protocols, a session cookie and an authcode cookie. The session cookie is used for session management and the authcode cookie is used for authentication. The session cookie is transmitted using a non-secure communication protocol when the web client accesses a non-secure web page, whereas, the authcode cookie is transmitted using a secure communication protocol when the web client accesses a secure web page. Session management architecture and usage of two distinct cookies along with both secure and non-secure communication protocols prevents unauthorized users from accessing sensitive web client or web site information.

60 Citations

View as Search Results

26 Claims

1. A method of secure session management and authentication between a web site and a web client, said web site having secure and non-secure web pages, said method comprising the steps of:
- a) utilizing a non-secure communication protocol and a session cookie when said web client requests access to said non-secure web pages;
  
  b) utilizing a secure communication protocol and creating an authcode cookie when said web client requests access to said secure web pages, so that utilizations of said authcode cookie are interspersed between utilizations of said session cookie, and at least some utilizations of said session cookie take place after utilizations of said authcode cookie;
  
  c) requesting said session cookie from said web client whenever said web client requests access to said non-secure web pages and verifying said requested session cookie;
  
  d) requesting said authcode cookie from said web client whenever said web client requests access to said secure web pages and verifying said requested authcode cookie; and
  
  wherein said method also comprises alternating between said secure communication protocol and said non-secure communication protocol when said web client alternates requests for access to said secure web pages and said non-secure web pages, respectively, and also repeatedly alternating between said utilizations of said authcode and said utilizations of said session code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said alternating between said secure communication protocol and said non-secure communication protocol is facilitated by a table which keeps track of said non-secure web pages and said secure web pages.
  - 3. The method of claim 2, wherein said web site uses said table to direct said web client to use said secure communication protocol or said non-secure communication protocol depending on whether said web client requests access to said non-secure web pages or said secure web pages.
  - 4. The method of claim 3, wherein said method also comprises allowing said web client to be a guest client or a registered client.
  - 5. The method of claim 4, wherein said method also comprises creating stored information including data contained in said session cookie, data contained in said authcode cookie and data about said web client.
  - 6. The method of claim 5, wherein said session cookie includes a pointer and an encrypted portion, said pointer pointing to said stored information, said encrypted portion having a random portion and a date portion.
  - 7. The method of claim 5, wherein said authcode cookie includes an encrypted portion, said encrypted portion having a random portion and a date portion.
  - 8. The method of claim 6, wherein verifying said requested session cookie from said web client includes using said stored information to generate a second session cookie and comparing said second session cookie to said session cookie requested from said web client.
  - 9. The method of claim 7, wherein verifying said requested authcode cookie from said web client includes using said stored information to generate a second authcode cookie and comparing said second authcode cookie to said authcode cookie requested from said web client.

10. A system, for secure session management and authentication between a web site and a web client, said system comprising a web server, a web client and a communication channel, said web server coupled to said web client via said communication channel, said web server having a web site, said web site including:
- a) secure and non-secure web pages;
  
  b) a non-secure communication protocol and a session cookie that is used for allowing said web client access to each one of said non-secure web pages;
  
  c) a secure communication protocol and an authcode cookie that is used for allowing said web client access only to said secure web pages;
  
  d) verification means for verifying said session cookie when said session cookie is requested from said web client; and
  
  e) verification means for verifying said authcode cookie when said authcode cookie is requested from said web client;
  
  wherein said web server further comprises;
  
  a security alternating means for alternating between said secure communication protocol and said non-secure communication protocol.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein said web server further comprises a table to keep track of said non-secure web pages and said secure web pages.
  - 12. The system of claim 10, wherein said web site includes access means to allow said web client to access said web site as a guest client or a registered client.
  - 13. The system of claim 12, wherein said web system has storage means for containing stored information about said web client, data contained in said session cookie and data contained in said authcode cookie.
  - 14. The system of claim 13, wherein said session cookie includes a pointer and an encrypted portion, said pointer pointing to said stored information, said encrypted portion having a random portion and a date portion.
  - 15. The system of claim 13, wherein said authcode cookie includes an encrypted portion, said encrypted portion having a random portion and a date portion.

16. A computer program embodied on a computer readable medium, said computer program providing for secure session management and authentication between a web site and a web client, said web site having secure and non-secure web pages, said computer program adapted to:
- a) use a non-secure communication protocol and a session cookie when said web client requests access to said non-secure web pages;
  
  b) use a secure communication protocol and an authcode cookie when said web client requests access to said secure web pages;
  
  c) request said session cookie from said web client when said web client requests access to said non-secure web pages and to verify said requested session cookie; and
  
  d) request said authcode cookie from said web client when said web client requests access to said secure web pages and to verify said requested authcode cookie;
  
  wherein said computer program is further adapted to alternate between said secure communication protocol and said non-secure communication protocol when said web client alternates requests for access to said secure web pages and said non-secure web pages.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The computer program of claim 16, wherein said alternating between said secure communication protocol and said non-secure communication protocol is facilitated by a table which keeps track of said non-secure web pages and said secure web pages.
  - 18. The computer program of claim 17, wherein said computer program uses said table to direct said web client to use said secure communication protocol or said non-secure communication protocol depending on whether said web client requests access to said non-secure web pages or said secure web pages.
  - 19. The computer program of claim 16, wherein said computer program is adapted to allow said web client to be a guest client or a registered client.
  - 20. The computer program of claim 19, wherein said computer program is adapted to create stored information including data contained in said session cookie, data contained in said authcode cookie and data about said web client.
  - 21. The computer program of claim 20, wherein said session cookie includes a pointer and an encrypted portion, said pointer pointing to said stored information, said encrypted portion having a random portion and a date portion.
  - 22. The computer program of claim 20, wherein said authcode cookie includes an encrypted portion, said encrypted portion having a random portion and a date portion.
  - 23. The computer program of claim 21, wherein verifying said requested session cookie from said web client includes using said stored information to generate a second session cookie and comparing said second session cookie to said session cookie requested from said web client.
  - 24. The computer program of claim 23, wherein verifying said requested authcode cookie from said web client includes using said stored information to generate a second authcode cookie and comparing said second authcode cookie to said authcode cookie requested from said web client.
  - 25. The computer program of claim 16, wherein said computer program is adapted to create a NAME attribute in a session cookie:
    - a) generating a user_idb) generating a session_string;
      
      c) generating a session_timestamp;
      
      d) appending said session_timestamp to said session_string to create an intermediate value;
      
      e) applying a one way hash function to said intermediate value to create a final value; and
      
      f) storing said final value in said NAME attribute.
  - 26. The computer program of claim 16, wherein said computer program is adapted to create a NAME attribute in an authcode cookie by:
    - a) generating an authcode;
      
      b) generating an authcode_timestamp;
      
      c) appending said authcode_timestamp to said authcode to create an intermediate value;
      
      d) applying a one way hash function to said intermediate value to create a final value; and
      
      e) storing said final value in said NAME attribute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Mirlas, Lev, Zhao, Yan Chun, Kou, Wei Dong
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Son; Linh L D

Application Number

US09/810,288
Publication Number

US 20020099936A1
Time in Patent Office

2,244 Days
Field of Search

713/151, 713/182, 713/185, 707/9, 726/9, 726/10, 705/65, 705/66
US Class Current

713/183
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 69/329   in the application layer [O...

Secure session management and authentication for web sites

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Secure session management and authentication for web sites

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links