Combining a browser cache and cookies to improve the security of token-based authentication protocols

US 7,240,192 B1
Filed: 03/12/2003
Issued: 07/03/2007
Est. Priority Date: 03/12/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of improving the security of protocols for communication between a client and a server coupled to a data communication network, the method comprising:

receiving, at the server, a request from the client for a resource;

computing a first portion of data from the authentication token;

providing the computed first portion to the client in response to the received request for the resource, said computed first portion being adapted for storage in a first memory area associated with the client, said first memory area comprising a cookie;

computing a second portion of data from the authentication token; and

providing the computed second portion to the client in response to the received request for the resource, said computed second portion being adapted for storage as information in a second memory area associated with the client, said information being inaccessible to the server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Combining a browser cache and cookies to improve the security of token-based authentication protocols. A client stores a first portion of an authentication token as information (e.g., a cookie) in a first memory area. The client stores a second portion of the authentication token as server-inaccessible information (e.g., cached web content) in a second memory area. A server obtains the first and second portions from the client to recreate the authentication token to authenticate the client.

97 Citations

View as Search Results

37 Claims

1. A method of improving the security of protocols for communication between a client and a server coupled to a data communication network, the method comprising:
- receiving, at the server, a request from the client for a resource;
  
  computing a first portion of data from the authentication token;
  
  providing the computed first portion to the client in response to the received request for the resource, said computed first portion being adapted for storage in a first memory area associated with the client, said first memory area comprising a cookie;
  
  computing a second portion of data from the authentication token; and
  
  providing the computed second portion to the client in response to the received request for the resource, said computed second portion being adapted for storage as information in a second memory area associated with the client, said information being inaccessible to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the first memory area comprises a memory area accessible to the server.
  - 3. The method of claim 1, wherein the second memory area comprises a browser cache accessible to the client and inaccessible to the server.
  - 4. The method of claim 1, wherein the computed first portion comprises a client identifier.
  - 5. The method of claim 4, further comprising:
    - receiving, at the server, client identity information from the client;
      
      generating the client identifier in response to the received client identity information, the generated client identifier containing at least a part of the received client identity information; and
      
      delivering the generated client identifier to the client for storage in the first memory area.
  - 6. The method of claim 5, wherein the client identity information comprises a login name and a password of the client.
  - 7. The method of claim 5, wherein the computed second portion comprises a credential value computed as a function of at least a part of the received client identity information and a key value.
  - 8. The method of claim 7, wherein the resource comprises web content, and further comprising:
    - computing the credential value as a function of at least a part of the received client identity information and the key value;
      
      adding the computed credential value to the web content; and
      
      delivering the web content with the computed credential value to the client for storage in the second memory area.
  - 9. The method of claim 8, wherein the delivered web content includes a reference to additional content accessible to the server, the reference including the credential value delivered to the client for storage in the second memory area, and further comprising:
    - redirecting the client to the additional content via the reference;
      
      receiving, from the client in response to said redirecting, the client identifier and the credential value;
      
      computing another credential value as a function of the received client identifier and the key value; and
      
      authenticating the client if the computed, other credential value matches the received credential value.
  - 10. The method of claim 9, further comprising delivering an error message to the client if the received credential value differs from the computed, other credential value.
  - 11. The method of claim 9, wherein the reference to additional content comprises a hyperlink to a location on the data communication network.
  - 12. The method of claim 8, wherein the web content includes a hypertext markup language (HTML) document, wherein the web content includes a reference to additional content accessible to the server, wherein the reference comprises a hyperlink to a location on the data communication network, and wherein the additional content is accessible by the client from within the HTML document via the hyperlink.
  - 13. The method of claim 1, further comprising:
    - generating a network address for the web content; and
      
      providing the generated network address to the client for storage as part of the computed first portion.
  - 14. The method of claim 1, further comprising:
    - receiving, at the server, another request from the client for the resource;
      
      obtaining, in response to the received, other request, the computed first portion from the client;
      
      obtaining, in response to the received, other request, the computed second portion from the client; and
      
      combining the obtained first and second portions to recreate the authentication token.
  - 15. The method of claim 1, wherein the server and the client communicate via a stateless protocol having request-response semantics.
  - 16. The method of claim 1, wherein the computed first portion comprises a randomly-generated string having a first string length equal to a second string length associated with the authentication token, and wherein the computed second portion comprises an exclusive-or computation of the computed first portion and the authentication token.
  - 17. The method of claim 1, wherein one or more computer readable media have computer-executable instructions for performing the method recited in claim 1.

18. A method of improving the security of protocols for communication between a client and a server coupled to a data communication network, the method comprising:
- receiving, at the server, a request from the client for a resource;
  
  obtaining, in response to the received request for the resource, a first portion of data associated with an authentication token from the client, said first portion being stored by the client in a first memory area, said first memory area comprising a cookie, wherein a second portion of data is stored by the client as information in a second memory area, said information being inaccessible to the server;
  
  obtaining, in response to the received request for the resource, the second portion associated with the authentication token from the client; and
  
  combining the obtained first and second portions to recreate the authentication token.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. The method of claim 18, wherein obtaining the first portion comprises receiving, from the client, a client identifier specific to the client.
  - 20. The method of claim 18, wherein obtaining the first portion comprises receiving, from the client, the cookie containing a client identifier specific to the client.
  - 21. The method of claim 18, wherein obtaining the second portion comprises receiving, from the client, a credential value computed as a function of the first portion stored by the client in the first memory area and a key value.
  - 22. The method of claim 18, wherein the resource comprises web content, and wherein obtaining the first portion comprises:
    - receiving, from the client, a client identifier specific to the client, the client identifier identifying the web content stored by the client; and
      
      redirecting the client to the web content stored by the client.
  - 23. The method of claim 22, wherein the client identifier comprises one or more of the following:
    - a login name, a password, a key value, and a uniform resource locator.
  - 24. The method of claim 22, wherein the web content stored by the client includes a reference to additional content accessible to the server, the reference including a credential value representing a function of the first portion stored by the client in the first memory area and a key value, wherein obtaining the second portion comprises:
    - receiving, at the server, another request from the client for the additional content, the other request comprising the reference;
      
      receiving the credential value stored by the client in the first memory area via the received reference; and
      
      delivering the additional content to the client in response to the other request.
  - 25. The method of claim 24, wherein combining comprises:
    - computing another credential value as a function of the obtained first portion and the key value; and
      
      recreating the authentication token if the computed credential value matches the received credential value.
  - 26. The method of claim 25, further comprising providing the recreated authentication token to the client to authenticate the client.
  - 27. The method of claim 25, further comprising delivering an error message to the client if the computed credential value differs from the received credential value.
  - 28. The method of claim 18, wherein the first portion comprises a randomly-generated string having a first string length equal to a second string length associated with the authentication token, wherein the second portion comprises an exclusive-or computation of the first portion and the authentication token, and wherein combining comprises computing the exclusive-or of the first portion and the second portion.
  - 29. The method of claim 18, wherein one or more computer readable media have computer-executable instructions for performing the method recited in claim 18.

30. One or more computer-readable media having computer-executable components for improving the security of protocols for communication between a client and a server coupled to a data communication network, the components comprising:
- an interface module for receiving, at the server, a request from the client for a resource; and
  
  an authentication module for providing a first portion of data associated with the authentication token to the client in response to the request for the resource received by the interface module, said first portion being adapted for storage in a first memory area associated with the client, said first memory area comprising a cookie, said authentication module further providing a second portion of data associated with the authentication token to the client in response to the request for the resource received by the interface module, said second portion being adapted for storage as information in a second memory area associated with the client, said information being inaccessible to the server.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
- - 31. The computer-readable media of claim 30, wherein the first portion comprises a client identifier, wherein the interface module further receives, at the server, client identity information from the client, wherein the authentication module further generates the client identifier in response to the received client identity information, the generated client identifier containing at least a part of the received client identity information, and wherein the interface module further delivers the generated client identifier to the client for storage in the first memory area.
  - 32. The computer-readable media of claim 31, wherein the second portion comprises a credential value computed as a function of at least a part of the received client identity information and a key value, wherein the authentication module further computes the credential value as a function of at least a part of the received client identity information and the key value, wherein the resource comprises web content, wherein the authentication module further adds the computed credential value to the web content, and wherein the authentication module further delivers the web content with the computed credential value to the client for storage in the second memory area.
  - 33. The computer-readable media of claim 32, wherein the delivered web content includes a reference to additional content accessible to the server, the reference including the credential value delivered to the client for storage in the second memory area, wherein the interface module further redirects the client to the additional content via the reference and receives the client identifier and the credential value from the client in response to said redirecting, wherein the authentication module further computes another credential value as a function of the received client identifier and the key value and authenticates the client if the computed, other credential value matches the received credential value.
  - 34. The computer-readable media of claim 30, wherein the interface module further receives, at the server, another request from the client for the resource, and further comprising a re-authentication module for:
    - obtaining, in response to the other request for the resource received by the interface module, the first portion from the client;
      
      obtaining, in response to the other request for the resource received by the interface module, the second portion from the client; and
      
      combining the obtained first and second portions to recreate the authentication token.
  - 35. The computer-readable media of claim 34, wherein obtaining the first portion comprises:
    - receiving, from the client, a client identifier specific to the client, the client identifier identifying web content stored by the client; and
      
      redirecting the client to the web content stored by the client.
  - 36. The computer-readable media of claim 35, wherein the web content stored by the client includes a reference to additional content accessible to the server, the reference including a credential value representing a function of the first portion stored by the client in the first memory area and a key value, wherein obtaining the second portion comprises:
    - receiving, at the server, another request from the client for the additional content, the other request comprising the reference;
      
      receiving the credential value stored by the client in the first memory area via the received reference; and
      
      delivering the additional content to the client in response to the other request.
  - 37. The computer-readable media of claim 36, wherein combining comprises:
    - computing another credential value as a function of the obtained first portion and the key value; and
      
      recreating the authentication token if the computed credential value matches the received credential value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Paya, Ismail Cem, Chow, Trevin
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Nalven; Andrew L

Application Number

US10/388,072
Time in Patent Office

1,574 Days
Field of Search

726/28, 713/152
US Class Current

713/152
CPC Class Codes

H04L 2463/102 applying security measure f...

H04L 63/0807 using tickets, e.g. Kerbero...

Combining a browser cache and cookies to improve the security of token-based authentication protocols

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Combining a browser cache and cookies to improve the security of token-based authentication protocols

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links