Atomic session-start operation combining clear-text and encrypted sessions to provide ID visibility to middleware such as load-balancers

US 7,861,075 B2
Filed: 07/27/2004
Issued: 12/28/2010
Est. Priority Date: 09/01/1999
Status: Expired due to Term

First Claim

Patent Images

1. A system comprising:

a plurality of server devices configured to service data requests originating from a network of clients; and

a load balancer device configured to;

determine, from a received data request containing a secure session ID and including a reference to an encrypted component embedded on a product-information web page, which of the plurality of server devices to assign to process secure requests, anddetermine, from received data requests containing a server assignment indicator, which of the plurality of server devices to assign to process requests for non-secured data, wherein the load-balancer device comprises a session table storing a plurality of stored encrypted-session identifiers for comparison with the secure session ID, and wherein entries in the session table include a session identifier for an encrypted session and a server identifier that identifies an assigned server device in the plurality of server devices.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A load-balancer assigns incoming requests to servers at a server farm. An atomic operation assigns both un-encrypted clear-text requests and encrypted requests from a client to the same server at the server farm. An encrypted session is started early by the atomic operation, before encryption is required. The atomic operation is initiated by a special, automatically loaded component on a web page. This component is referenced by code requiring that an encrypted session be used to retrieve the component. Keys and certificates are exchanged between a server and the client to establish the encrypted session. The server generates a secure-sockets-layer (SSL) session ID for the encrypted session. The server also generates a server-assignment cookie that identifies the server at the server farm. The server-assignment cookie is encrypted and sent to the client along with the SSL session ID. The Client decrypts the server-assignment cookie and stores it along with the SSL session ID. The load-balancer stores the SSL session ID along with a server assignment that identifies the server that generated the SSL session ID. When other encrypted requests are generated by the client to the server farm, they include the SSL session ID. The load-balancer uses the SSL session ID to send the requests to the assigned server. When the client sends a non-encrypted clear-text request to the server farm, it includes the decrypted server-assignment cookie. The load balancer parses the clear-text request to find the server-assignment cookie. The load-balancer then sends the request to the assigned server.

Citations

12 Claims

1. A system comprising:
- a plurality of server devices configured to service data requests originating from a network of clients; and
  
  a load balancer device configured to;
  
  determine, from a received data request containing a secure session ID and including a reference to an encrypted component embedded on a product-information web page, which of the plurality of server devices to assign to process secure requests, anddetermine, from received data requests containing a server assignment indicator, which of the plurality of server devices to assign to process requests for non-secured data, wherein the load-balancer device comprises a session table storing a plurality of stored encrypted-session identifiers for comparison with the secure session ID, and wherein entries in the session table include a session identifier for an encrypted session and a server identifier that identifies an assigned server device in the plurality of server devices.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein:
    - the server assignment indicator is a server-assignment cookie, andthe server-assignment cookie is indicative of which server device from the plurality of server devices has previously been assigned to a respective client.
  - 3. The system of claim 1, wherein the server assignment indicator is generated by a server device of the plurality of server devices in response to receiving encrypted data capable of initiating a secured session between the server device of the plurality of server devices and the network.

4. A method comprising:
- generating, using a load balancing device, a server-assignment indicator in response to a first data request that includes a reference to an encrypted component embedded on a product-information web page, wherein the first data request comprises an encrypted-session request;
  
  comparing an encrypted-session identifier received by the load balancing device to a plurality of stored encrypted-session identifiers in a table accessible by the load balancing device;
  
  receiving, using the load balancing device, a second data request originating from a network;
  
  parsing, using the load balancing device, the second data request to determine a server-assignment indicator or a secure session identifier; and
  
  based on the server-assignment indicator or secure session identifier, assigning, using the load balancing device, one of a plurality of servers to process encrypted and non-encrypted requests originating from the network.
- View Dependent Claims (5, 6)
- - 5. The method of claim 4, wherein the encrypted-session identifier comprises a secure-sockets-layer (SSL) session ID contained in a non-encrypted portion of an encrypted connection.
  - 6. The method of claim 4, further comprising analyzing the second data request to determine if the second data request includes the server-assignment indicator in response to a determination that the second data request comprises a non-encrypted session request.

7. A method comprising:
- receiving, using a load balancer device, a secure session data request originating from a network, wherein the secure session data request comprises a request for encrypted data embedded on a web page, and wherein the encrypted data is invisible to a user of the web page;
  
  parsing, using the load balancer device, the secure session data request to determine a secure session identifier;
  
  comparing the secure session identifier to stored secure session identifiers in a session table accessible by the load balancer device;
  
  assigning, using the load balancer device, a first server from a plurality of servers to process the secure session data request and all subsequent encrypted and non-encrypted requests originating from a client containing the secure session identifier and a server assignment indicator associated with the first server; and
  
  passing, using the load balancer device, encryption authorization data through the load balancer device to directly establish a secure session between the first server and the client.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7, wherein the server assignment indicator is a cookie.
  - 9. The method of claim 7, wherein the encryption authorization data comprises encryption keys or certificates.

10. A server system comprising:
- means for servicing data requests originating from a network of clients;
  
  means for determining, from received data requests containing a secure session ID and including a reference to an encrypted component embedded on a product-information web page, which of a plurality of servers to assign to process secure requests;
  
  means for determining, from received data requests containing a server assignment indicator, which of the plurality of servers to assign to process requests for non-secured data; and
  
  means for storing, in a session table, a plurality of stored encrypted-session identifiers for comparison to the secure session ID, wherein entries in the session table include a session identifier for an encrypted session and a server identifier identifying an assigned server in the plurality of servers.

11. A system comprising:
- a processor; and
  
  a memory storing instructions that, if executed by a computing device, cause the processor to;
  
  generate a server-assignment indicator in response to a first data request that includes a reference to an encrypted component embedded on a product-information web page, wherein the first data request comprises an encrypted-session request;
  
  comparing a received encrypted-session identifier to a plurality of stored encrypted session identifiers in a table accessible by a load balancer;
  
  receive a second data request originating from a network;
  
  parse the second data request to determine a server-assignment indicator or a secure session identifier; and
  
  based on the server-assignment indicator or secure session identifier, assign one of a plurality of servers to process encrypted and non-encrypted requests originating from the network.

12. An article of manufacture including a non-transitory medium, the medium configured to be machine-accessible and readable, and the medium having instructions stored thereon, execution of which by a computing device causes the computing device to perform operations comprising:
- receiving, using a load balancer device, a secure session data request originating from a network, wherein the secure session data request comprises a request for encrypted data embedded on a web page, and wherein the encrypted data is invisible to a user of the web page;
  
  parsing, using the load balancer device, the secure session data request to determine a secure session identifier,comparing the secure session identifier to stored secure session identifiers in a session table accessible by the load balancer device;
  
  assigning, using the load balancer device, a first server from a plurality of servers to process the secure session data request and all subsequent encrypted and non-encrypted requests originating from a client containing the secure session identifier and a server assignment indicator associated with the first server; and
  
  passing, using the load balancer device, encryption authorization data through the load balancer device to directly establish a secure session between the first server and the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hanger Solutions, LLC (IP Investments Group LLC)
Original Assignee
Dickens Coal LLC (Intellectual Ventures LLC)
Inventors
Brendel, Juergen
Primary Examiner(s)
ZIA, SYED

Application Number

US10/900,840
Publication Number

US 20050010754A1
Time in Patent Office

2,345 Days
Field of Search

None
US Class Current

713/153
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/104   Grouping of entities

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/1001   for accessing one among a p...

H04L 67/1012   based on compliance of requ...

H04L 67/1027   Persistence of sessions dur...

H04L 67/14   Session management for real...

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

H04L 69/22   Parsing or analysis of headers

Atomic session-start operation combining clear-text and encrypted sessions to provide ID visibility to middleware such as load-balancers

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Atomic session-start operation combining clear-text and encrypted sessions to provide ID visibility to middleware such as load-balancers

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links