Systems and methods for using a client agent to manage HTTP authentication cookies

US 8,392,977 B2
Filed: 08/03/2006
Issued: 03/05/2013
Est. Priority Date: 08/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for using a client agent to enable secure authentication in a virtual private network environment using an HTTP cookie, the method comprising:

(a) intercepting, by a client agent executing on a client, an HTTP communication comprising an authentication cookie from an appliance on a virtual private network to the client, the appliance verifying via the authentication cookie that a request of the client corresponds to a particular session;

(b) removing, by the client agent, the authentication cookie from the HTTP communication;

(c) storing, by the client agent, the authentication cookie;

(d) transmitting, by the client agent, the HTTP communication without the authentication cookie to an application executing on the client having a session with a server;

(e) intercepting, by the client agent at a network layer of a network stack of the client, an HTTP request transmitted from the application to the server via the session;

(f) inserting, by the client agent in the HTTP request, the authentication cookie; and

(g) transmitting, by the client agent, the HTTP request having the authentication cookie to the appliance, the appliance to verify via the authentication cookie that the HTTP request corresponds to the session prior to forwarding the HTTP request to the server.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for using a client agent to manage HTTP authentication cookies. One method includes intercepting, by a client agent executing on a client, a connection request from the client; establishing, by the client agent, a transport layer virtual private network connection with a network appliance; transmitting, by the client agent via the established connection, an HTTP request comprising an authentication cookie; and transmitting, by the client agent via the connection, the connection request. A second method includes intercepting, by a client agent executing on a client, an HTTP communication comprising a cookie from an appliance on a virtual private network to the client; removing, by the client agent, the cookie from the HTTP communication; storing, by the client agent, the received cookie; transmitting, by the client agent, the modified HTTP communication to an application executing on the client; intercepting, by the client agent, an HTTP request from the client; inserting, by the client agent in the HTTP request, the received cookie; and transmitting the modified HTTP request to the appliance. Corresponding systems are also described.

Citations

21 Claims

1. A method for using a client agent to enable secure authentication in a virtual private network environment using an HTTP cookie, the method comprising:
- (a) intercepting, by a client agent executing on a client, an HTTP communication comprising an authentication cookie from an appliance on a virtual private network to the client, the appliance verifying via the authentication cookie that a request of the client corresponds to a particular session;
  
  (b) removing, by the client agent, the authentication cookie from the HTTP communication;
  
  (c) storing, by the client agent, the authentication cookie;
  
  (d) transmitting, by the client agent, the HTTP communication without the authentication cookie to an application executing on the client having a session with a server;
  
  (e) intercepting, by the client agent at a network layer of a network stack of the client, an HTTP request transmitted from the application to the server via the session;
  
  (f) inserting, by the client agent in the HTTP request, the authentication cookie; and
  
  (g) transmitting, by the client agent, the HTTP request having the authentication cookie to the appliance, the appliance to verify via the authentication cookie that the HTTP request corresponds to the session prior to forwarding the HTTP request to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein step (a) comprises intercepting, by a client agent executing on a client, an HTTP communication comprising a cookie from an appliance on a virtual private network to the client, wherein the cookie comprises authentication credentials.
  - 3. The method of claim 1, wherein step (e) comprises intercepting, by a client agent, an HTTP GET request from a client to a server on a virtual private network.
  - 4. The method of claim 1, wherein step (e) comprises intercepting, by the client agent, a plurality of HTTP requests from the client.
  - 5. The method of claim 1, wherein step (e) comprises intercepting, by the client agent, a plurality of HTTP requests from a plurality of applications executing on the client.
  - 6. The method of claim 1, further comprising the steps of:
    - (h) determining, by the client agent, that a client session with the virtual private network appliance has ended; and
      
      (i) deleting, responsive to the determination, the stored cookie.
  - 7. The method of claim 6, wherein step (h) comprises determining, by the client agent, that a transport layer connection between the client and the virtual private network appliance has terminated.
  - 8. The method of claim 1, wherein step (f) comprises inserting, by the client agent in the HTTP request, a cookie comprising user authentication credentials.
  - 9. The method of claim 1, wherein step (f) comprises inserting, by the client agent in the HTTP request, a cookie comprising application-specific authentication credentials.
  - 10. The method of claim 1, wherein step (f) comprises inserting, by the client agent in the HTTP request, a cookie comprising transport layer session information.

11. A computer implemented system for using a client agent to enable secure authentication in a virtual private network environment using an HTTP cookie, the system comprising:
- a client computing device; and
  
  a client agent executing on the client which intercepts an HTTP communication comprising a cookie from an appliance on a virtual private network to the client, the appliance verifying via the authentication cookie that a request of the client corresponds to a particular session; and
  
  wherein the client agent removes the cookie from the HTTP communication;
  
  stores the received cookie;
  
  transmits the modified HTTP communication to an application executing on the client having a session with a server;
  
  intercepts, an HTTP request from the client to the server via the session;
  
  inserting in the HTTP request, the received authentication cookie; and
  
  transmitting the modified HTTP request having the authentication cookie to the appliance, the appliance to verify via the authentication cookie that the HTTP request corresponds to the session prior to forwarding the HTTP request to the server.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the client agent intercepts an HTTP communication comprising a cookie from an appliance on a virtual private network to the client, wherein the cookie comprises authentication credentials.
  - 13. The system of claim 11, wherein the client agent intercepts an HTTP GET request from a client to a server on a virtual private network.
  - 14. The system of claim 11, wherein the client agent intercepts a plurality of HTTP requests from the client.
  - 15. The system of claim 11, wherein the client agent intercepts a plurality of HTTP requests from a plurality of applications executing on the client.
  - 16. The system of claim 11, wherein the client agent determines that a client session with the virtual private network appliance has ended;
    - and, responsive to the determination, deletes the stored cookie.
  - 17. The system of claim 16, wherein the client agent determines that a transport layer connection between the client and the virtual private network appliance has terminated.
  - 18. The system of claim 11, wherein the client agent inserts in the HTTP request a cookie comprising user authentication credentials.
  - 19. The system of claim 11, wherein the client agent inserts in the HTTP request a cookie comprising application-specific authentication credentials.
  - 20. The system of claim 11, wherein the client agent inserts in the HTTP request a cookie comprising transport layer session information.

21. A method using a client agent to enable secure authentication using a cookie, the method comprising:
- (a) establishing, by a client agent executing on a client device, a transport layer connection with a network device intermediary to the client device and a server;
  
  (b) receiving, by the client agent, an Hypertext Transfer Protocol communication from the network device, an HTTP communication comprising an authentication cookie, the authentication cookie comprising an authentication string for the network device to verify a request corresponds to a particular session;
  
  (c) storing, by the client agent, the authentication cookie removed from the HTTP communication;
  
  (d) communicating, by the client agent, the HTTP response without the cookie to an application executing on the client device having a session with the server;
  
  (e) transmitting, by the application on the client via the session an HTTP request to the server;
  
  (f) intercepting, by the client agent at a network layer of a network stack of the client device, the HTTP request;
  
  (g) adding, by the client agent, the authentication cookie from storage to the HTTP request; and
  
  (h) transmitting, by the client agent, the HTTP request having the authentication cookie to the network device, the network device to verify via the authentication cookie that the HTTP request corresponds to the session prior to forwarding the HTTP request to the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
He, Junxiao, Venkatraman, Charu, Rajan, Roy, Soni, Ajay
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Anderson, Michael D

Application Number

US11/462,308
Publication Number

US 20080034413A1
Time in Patent Office

2,406 Days
Field of Search

726/9, 726/12, 726/14, 709/239, 709/224
US Class Current

726/9
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

H04L 67/02   based on web technology, e....

Systems and methods for using a client agent to manage HTTP authentication cookies

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for using a client agent to manage HTTP authentication cookies

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links