Methods and apparatus for providing security in a caching device

US 7,461,262 B1
Filed: 03/19/2002
Issued: 12/02/2008
Est. Priority Date: 03/19/2002
Status: Active Grant

First Claim

Patent Images

1. In a caching device, a method for providing content, comprising the steps of:

(A) obtaining content from an origin server;

(B) observing an access identifier provided by the origin server in response to a first content request, the access identifier providing an authentication indication for accessing the content obtained from the origin server; and

(C) receiving a second content request, and one of (i) preventing the origin server from handling the second content request and providing the obtained content when the second content request includes the access identifier, and (ii) forwarding the second content request to the origin server for processing when the second content request does not include the access identifier;

in response to receiving the second content request;

comparing the access identifier received with second content request to the access identifier received from the origin server;

if the comparison indicates that the access identifier received with second content request is equivalent to the access identifier received from the origin server, performing the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and

if the comparison indicates that the access identifier received with second content request is not equivalent to the access identifier received from the origin server, performing the step of (ii) forwarding the second content request to the origin server for processing;

wherein observing the access identifier comprises reading the access identifier provided by the origin server in response to the first content request, the access identifier configured as a cookie that provides authentication indication to a client computer device for accessing the content obtained from the origin server;

wherein, in response to receiving the second content request;

comparing the access identifier received with second content request to the access identifier received from the origin server comprises comparing a cookie received with the second content request to the cookie received from the origin server;

if the comparison indicates that the cookie received with second content request is equivalent to the cookie received from the origin server, performing the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and

if the comparison indicates that the cookie received with second content request is not equivalent to the cookie received from the origin server, performing the step of (ii) forwarding the second content request to the origin server for processing.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is directed to techniques, in a caching device, for providing content, comprising the steps of obtaining content from an origin server, observing an access identifier provided by the origin server in response to a first content request, the access identifier providing an authentication indication for accessing the content obtained from the origin server, receiving a second content request, and one of (i) preventing the origin server from handling the second content request and providing the obtained content when the second content request includes the access identifier, and (ii) forwarding the second content request to the origin server for processing when the second content request does not include the access identifier.

76 Citations

View as Search Results

23 Claims

1. In a caching device, a method for providing content, comprising the steps of:
- (A) obtaining content from an origin server;
  
  (B) observing an access identifier provided by the origin server in response to a first content request, the access identifier providing an authentication indication for accessing the content obtained from the origin server; and
  
  (C) receiving a second content request, and one of (i) preventing the origin server from handling the second content request and providing the obtained content when the second content request includes the access identifier, and (ii) forwarding the second content request to the origin server for processing when the second content request does not include the access identifier;
  
  in response to receiving the second content request;
  
  comparing the access identifier received with second content request to the access identifier received from the origin server;
  
  if the comparison indicates that the access identifier received with second content request is equivalent to the access identifier received from the origin server, performing the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and
  
  if the comparison indicates that the access identifier received with second content request is not equivalent to the access identifier received from the origin server, performing the step of (ii) forwarding the second content request to the origin server for processing;
  
  wherein observing the access identifier comprises reading the access identifier provided by the origin server in response to the first content request, the access identifier configured as a cookie that provides authentication indication to a client computer device for accessing the content obtained from the origin server;
  
  wherein, in response to receiving the second content request;
  
  comparing the access identifier received with second content request to the access identifier received from the origin server comprises comparing a cookie received with the second content request to the cookie received from the origin server;
  
  if the comparison indicates that the cookie received with second content request is equivalent to the cookie received from the origin server, performing the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and
  
  if the comparison indicates that the cookie received with second content request is not equivalent to the cookie received from the origin server, performing the step of (ii) forwarding the second content request to the origin server for processing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the step of observing the access identifier provided by the origin server in response to the first content request includes the step of:
    - modifying a table such that the table includes an entry authorizing the caching device to provide the obtained content in response to content requests which include the access identifier.
  - 3. The method of claim 2, further comprising the steps of:
    - starting a timeout clock in response to observing the access identifier provided by the origin server in response to the first content request; and
      
      adjusting the table such that the caching device is no longer authorized to provide the obtained content in response to content requests which include the access identifier if the timeout clock exceeds a predetermined threshold.
  - 4. The method of claim 3, further comprising the step of:
    - changing the predetermined threshold to another threshold based on a command within the access identifier.
  - 5. The method of claim 2, further comprising the step of:
    - starting a timeout clock in response to observing the access identifier provided by the origin server in response to the first content request; and
      
      restarting the timeout clock in response to observing another access identifier provided by the origin server in response to another content request.
  - 6. The method of claim 1 wherein the content is identifiable by a first resource locator, wherein an additional content request includes an additional resource locator, and wherein the method further includes the step of:
    - preventing the origin server from handling the additional content request and providing the obtained content when a predetermined amount of the additional resource locator matches a predetermined amount of the first resource locator; and
      
      forwarding the additional content request to the origin server for processing when the predetermined amount of the additional resource locator does not match the predetermined amount of the first resource locator.
  - 7. The method of claim 6, wherein:
    - preventing the origin server from handling the additional content request and providing the content obtained by the communications interface from the origin server when the predetermined amount of the additional resource locator matches the predetermined amount of the first resource locator comprises;
      
      comparing a predetermined number of characters within the additional resource locator with a predetermined number of characters within the first resource locator, the additional resource locator configured as a Uniform Resource Locator (URL) and the first resource locator configured as a URL, andpreventing the origin server from handling the additional content request and providing the content obtained by the communications interface from the origin server when a predetermined number of characters within the additional resource locator matches the predetermined number of characters within the first resource locator; and
      
      forwarding the additional content request to the origin server for processing when the predetermined amount of the additional resource locator does not match the predetermined amount of the first resource locator comprises;
      
      comparing the predetermined number of characters within the additional resource locator with the predetermined number of characters within the first resource locator, the additional resource locator configured as a URL and the first resource locator configured as a URL; and
      
      forwarding the additional content request to the origin server for processing when the predetermined number of characters within the additional resource locator does not match the predetermined number of characters within the first resource locator.
  - 8. The method of claim 1 wherein the first content request includes a first client identifier, wherein an additional request includes an additional client identifier, and wherein the method further includes the step of:
    - preventing the origin server from handling an additional content request and providing the obtained content when a predetermined amount of the additional client identifier matches a predetermined amount of the first client identifier; and
      
      forwarding the additional content request to the origin server for processing when the predetermined amount of the additional client identifier does not match the predetermined amount of the first client identifier.
  - 9. The method of claim 1 wherein the content is identifiable by a first resource locator, wherein an additional content request includes an additional resource locator, wherein the first content request includes a first client identifier, wherein an additional request includes an additional client identifier, and wherein the method further includes the step of:
    - preventing the origin server from handling the additional content request and providing the obtained content when a predetermined amount of the additional resource locator matches a predetermined amount of the first resource locator and a predetermined amount of the additional client identifier matches a predetermined amount of the first client identifier; and
      
      forwarding the additional content request to the origin server for processing when the predetermined amount of the additional resource locator does not match the predetermined amount of the first resource locator; and
      
      forwarding the additional content request to the origin server for processing when the predetermined amount of the additional client identifier does not match the predetermined amount of the first client identifier.
  - 10. The method of claim 1 wherein the access identifier includes a timestamp and the table includes an expiration indication, and wherein the step of observing includes the steps of:
    - reading the timestamp in the access identifier when the second content request includes the access identifier;
      
      comparing the timestamp to the expiration indicator; and
      
      preventing the origin server from handling an additional content request and providing additional content when the timestamp does not exceed the expiration indicator; and
      
      forwarding the additional content request to the origin server for processing when the timestamp exceeds the expiration indicator.
  - 11. The method of claim 1, wherein:
    - obtaining content from the origin server comprises obtaining content from the origin server in the absence of a preset security agreement between the origin server the caching device; and
      
      comparing a cookie received with the second content request to the cookie received from the origin server further comprises detecting an authorization of the second content request based upon the results of the comparison between the cookie received with the second content request and the cookie received from the origin server.

12. A caching device, comprising:
- an communications interface;
  
  a controller coupled to the interface,wherein the communications interface is configured to obtain content from the origin server;
  
  the controller is configured to observe an access identifier provided by the origin server in response to a first content request, the access identifier providing an authentication indication for accessing the content obtained from the origin server; and
  
  the controller is configured to receive a second content request, and one of (i) preventing the origin server from handling the second content request and providing the obtained content when the second content request includes the access identifier, and (ii) forwarding the second content request to the origin server for processing when the second content request does not include the access identifier,in response to receiving the second content request;
  
  the controller is configured to compare the access identifier received with second content request to the access identifier received from the origin server;
  
  if the comparison indicates that the access identifier received with second content request is equivalent to the access identifier received from the origin server, the controller is configured to perform the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and
  
  if the comparison indicates that the access identifier received with second content request is not equivalent to the access identifier received from the origin server, the controller is configured to perform the step of (ii) forwarding the second content request to the origin server for processing;
  
  wherein when observing the access identifier the controller is configured to read the access identifier provided by the origin server in response to the first content request, the access identifier configured as a cookie that provides authentication indication to a client computer device for accessing the content obtained from the origin server;
  
  wherein, in response to receiving the second content request the controller is configured to;
  
  when comparing the access identifier received with second content request to the access identifier received from the origin server comprises compare a cookie received with the second content request to the cookie received from the origin server;
  
  if the comparison indicates that the cookie received with second content request is equivalent to the cookie received from the origin server, perform the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and
  
  if the comparison indicates that the cookie received with second content request is not equivalent to the cookie received from the origin server, perform the step of (ii) forwarding the second content request to the origin server for processing.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The caching device of claim 12 wherein a table exists within the controller and wherein, to observe the access identifier provided by the origin server in response to the first content request, the controller is configured to:
    - modify the table, within the controller, such that the table includes an entry authorizing the caching device to provide the obtained content in response to content requests which include the access identifier.
  - 14. The caching device of claim 13, wherein a predetermined threshold is stored within the controller includes a timeout clock and the controller is configured to:
    - start a timeout clock in response to observing the access identifier provided by the origin server in response to the first content request; and
      
      adjust the table, within the controller, such that the caching device is no longer authorized to provide the obtained content in response to content requests which include the access identifier if the timeout clock exceeds the predetermined threshold.
  - 15. The caching device of claim 14, wherein the controller is configured to:
    - change the predetermined threshold to another threshold based on a command within the access identifier.
  - 16. The caching device of claim 13, wherein the controller is configured to:
    - start a timeout clock in response to observing the access identifier provided by the origin server in response to the first content request; and
      
      restart the timeout clock in response to observing another access identifier provided by the origin server in response to another content request.
  - 17. The caching device of claim 12 wherein the content, obtained from the origin server is identifiable by a first resource locator, wherein the additional content request includes an additional resource locator, and wherein, to receive the additional content request, the controller is configured to:
    - prevent the origin server from handling the additional content request and provide the content obtained by the communications interface from the origin server when a predetermined amount of the additional resource locator matches a predetermined amount of the first resource locator; and
      
      forward the additional content request to the origin server for processing when the predetermined amount of the additional resource locator does not match the predetermined amount of the first resource locator.
  - 18. The caching device of claim 12 wherein the first content request includes a first client identifier, wherein the additional content request includes an additional client identifier, and wherein, to receive a additional content request, the controller is configured to:
    - prevent the origin server from handling the additional content request received by the communications interface from the origin server and provide the obtained content when a predetermined amount of the additional client identifier matches a predetermined amount of the first client identifier; and
      
      forward the additional content request to the origin server for processing when the predetermined amount of the additional client identifier does not match the predetermined amount of the first client identifier.
  - 19. The caching device of claim 12 wherein the content is identifiable by a first resource locator, wherein an additional content request includes an additional resource locator, wherein the first content request includes a first client identifier, wherein an additional request includes an additional client identifier, and wherein, to receive an additional content request, the controller if configured to:
    - prevent the origin server from handling the additional content request and providing the obtained content when a predetermined amount of the additional resource locator matches a predetermined amount of the first resource locator and a predetermined amount of the additional client identifier matches a predetermined amount of the first client identifier; and
      
      forward the additional content request to the origin server for processing when the predetermined amount of the additional resource locator does not match the predetermined amount of the first resource locator; and
      
      forward the additional content request to the origin server for processing when the predetermined amount of the additional client identifier does not match the predetermined amount of the first client identifier.
  - 20. The caching device of claim 12 wherein the access identifier includes a timestamp and the table includes an expiration indication, and wherein the controller is configured to:
    - read the timestamp in the access identifier received by the communications interface when the additional content request includes the access identifier;
      
      compare the timestamp to an expiration indicator from a table stored in memory;
      
      prevent the origin server from handling an additional content request and providing additional content when the timestamp does not exceed the expiration indicator; and
      
      forward the additional content request to the origin server for processing when the timestamp exceeds the expiration indicator.

21. A computer program product that includes a computer readable medium having instructions stored thereon such that, when the instructions are carried out by a computer, the computer can be configured to operate as a caching device capable of performing the steps of:
- (A) obtaining content from an origin server;
  
  (B) observing an access identifier provided by the origin server in response to a first content request, the access identifier providing an authentication indication for accessing the content obtained from the origin server; and
  
  (C) receiving a second content request, and one of (i) preventing the origin server from handling the second content request and providing the obtained content when the second content request includes the access identifier, and (ii) forwarding the second content request to the origin server for processing when the second content request does not include the access identifier;
  
  in response to receiving the second content request;
  
  comparing the access identifier received with second content request to the access identifier received from the origin server;
  
  if the comparison indicates that the access identifier received with second content request is equivalent to the access identifier received from the origin server, performing the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and
  
  if the comparison indicates that the access identifier received with second content request is not equivalent to the access identifier received from the origin server, performing the step of (ii) forwarding the second content request to the origin server for processing;
  
  wherein observing the access identifier comprises reading the access identifier provided by the origin server in response to the first content request, the access identifier configured as a cookie that provides authentication indication to a client computer device for accessing the content obtained from the origin server;
  
  wherein, in response to receiving the second content request;
  
  comparing the access identifier received with second content request to the access identifier received from the origin server comprises comparing a cookie received with the second content request to the cookie received from the origin server;
  
  if the comparison indicates that the cookie received with second content request is equivalent to the cookie received from the origin server, performing the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and
  
  if the comparison indicates that the cookie received with second content request is not equivalent to the cookie received from the origin server, performing the step of (ii) forwarding the second content request to the origin server for processing.

22. A caching device, comprising:
- memory to store a table;
  
  a communications interface to communicate with a client computer system;
  
  a controller to observe an access identifier;
  
  an interconnection mechanism coupling the memory, communications interface and controller;
  
  means, coupled to the communications interface, for obtaining content from an origin server;
  
  means, coupled to the communications interface and controller, for observing an access identifier provided by the origin server in response to a first content request, the access identifier providing an authentication indication for accessing the content obtained from the origin server; and
  
  means, coupled to the communications interface and controller, for receiving a second content request, and one of (i) preventing the origin server from handling the second content request and providing the obtained content when the second content request includes the access identifier, and (ii) forwarding the second content request to the origin server for processing when the second content request does not include the access identifier,wherein means for receiving comprises means for comparing the access identifier received with second content request to the access identifier received from the origin server;
  
  if the comparison indicates that the access identifier received with second content request is equivalent to the access identifier received from the origin server, performing the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and
  
  if the comparison indicates that the access identifier received with second content request is not equivalent to the access identifier received from the origin server, performing the step of (ii) forwarding the second content request to the origin server for processing;
  
  wherein means for observing the access identifier comprises means for reading the access identifier provided by the origin server in response to the first content request, the access identifier configured as a cookie that provides authentication indication to a client computer device for accessing the content obtained from the origin server;
  
  wherein, in response to receiving the second content request;
  
  means for receiving comprises means for comparing the access identifier received with second content request to the access identifier received from the origin server comprises comparing a cookie received with the second content request to the cookie received from the origin server;
  
  if the comparison indicates that the cookie received with second content request is equivalent to the cookie received from the origin server, performing the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and
  
  if the comparison indicates that the cookie received with second content request is not equivalent to the cookie received from the origin server, performing the step of (ii) forwarding the second content request to the origin server for processing.

23. A system for providing content comprising:
- a client computer system for providing content requests;
  
  an origin server in communication with said client computer system, said origin server for providing content in response to content requests; and
  
  a caching device in communication with said client computer system, and said origin server, said caching device comprising;
  
  a controller coupled to the interface,wherein the controller is configured to obtain content from the origin server;
  
  the controller is configured to observe an access identifier provided by the origin server in response to a first content request, the access identifier providing an authentication indication for accessing the content obtained from the origin server; and
  
  the controller is configured to receive a second content request, and one of (i) preventing the origin server from handling the second content request and providing the obtained content when the second content request includes the access identifier, and (ii) forwarding the second content request to the origin server for processing when the second content request does not include the access identifier,in response to receiving the second content request;
  
  the controller is configured to compare the access identifier received with second content request to the access identifier received from the origin server;
  
  if the comparison indicates that the access identifier received with second content request is equivalent to the access identifier received from the origin server, the controller is configured to perform the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and
  
  if the comparison indicates that the access identifier received with second content request is not equivalent to the access identifier received from the origin server, the controller is configured to perform the step of (ii) forwarding the second content request to the origin server for processing;
  
  wherein when observing the access identifier the controller is configured to read the access identifier provided by the origin server in response to the first content request, the access identifier configured as a cookie that provides authentication indication to a client computer device for accessing the content obtained from the origin server;
  
  wherein, in response to receiving the second content request the controller is configured to;
  
  when comparing the access identifier received with second content request to the access identifier received from the origin server comprises compare a cookie received with the second content request to the cookie received from the origin server;
  
  if the comparison indicates that the cookie received with second content request is equivalent to the cookie received from the origin server, perform the step of (i) preventing the origin server from handling the second content request and providing the obtained content; and
  
  if the comparison indicates that the cookie received with second content request is not equivalent to the cookie received from the origin server, perform the step of (ii) forwarding the second content request to the origin server for processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
O'Toole, James W. Jr.
Primary Examiner(s)
Sheikh; Ayaz R
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US10/100,810
Time in Patent Office

2,450 Days
Field of Search

713/154, 713/165, 713/178, 713/182, 713/200, 713/201
US Class Current

713/182
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/85   interconnection devices, e....

H04L 63/0807   using tickets, e.g. Kerbero...

Methods and apparatus for providing security in a caching device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

76 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for providing security in a caching device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links