Method and apparatus for protecting against attacks from outside content

US 8,533,786 B2
Filed: 04/19/2011
Issued: 09/10/2013
Est. Priority Date: 12/02/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an authentication of a user to a first domain by an application server, the application server being a computing system connected to the first domain and a second domain;

establishing a first active session for the user with the first domain by the application server based on the authentication;

receiving a request from the user to access content from the second domain at the application server after establishing the first active session;

searching for a second active session for the user with the second domain;

if no second active session with the second domain is found, then determining whether the first session with the first domain is active;

if the first active session with the first domain is found, then establishing a sub-session with the second domain based on and dependent upon the active session with the first domain by the application server; and

providing the requested content through the application server to the user based on the established sub-session with the second domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for protecting against attacks from outside content is described. In one example, a request is received from a user to access content from a second domain. An active session for the user with the second domain is searched for. If no active session is found, then an active session with a related first domain is searched for. If an active session is found with the first domain, then a session is established with the second domain based on the active session with the first domain. The requested content is then provided to the user based on the established session with the second domain.

147 Citations

17 Claims

1. A method comprising:
- receiving an authentication of a user to a first domain by an application server, the application server being a computing system connected to the first domain and a second domain;
  
  establishing a first active session for the user with the first domain by the application server based on the authentication;
  
  receiving a request from the user to access content from the second domain at the application server after establishing the first active session;
  
  searching for a second active session for the user with the second domain;
  
  if no second active session with the second domain is found, then determining whether the first session with the first domain is active;
  
  if the first active session with the first domain is found, then establishing a sub-session with the second domain based on and dependent upon the active session with the first domain by the application server; and
  
  providing the requested content through the application server to the user based on the established sub-session with the second domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein establishing a sub-session comprises establishing a child session.
  - 3. The method of claim 1, wherein searching for an active session comprises searching for a valid session cookie.
  - 4. The method of claim 1, further comprising retrieving permissions of the user on the second domain and wherein providing the requested content comprises providing the requested content if the content is allowed by the retrieved permissions.
  - 5. The method of claim 4, wherein retrieving permissions comprises retrieving permissions only if there is an active session with the second domain.
  - 6. The method of claim 1, wherein the second domain contains content uploaded from users other than the user and a system administrator.
  - 7. The method of claim 1, wherein the second domain contains content, available to authenticated users, that is not available on the first domain.

8. An apparatus comprising:
- an application server in the form of a hardware computing system coupled to a first and a second database in first and second domains, respectively, to receive an authentication of a user to the first domain, to establish a first active session for a user with the first domain based on the authentication, to receive a request from the user to access content from the second domain after establishing the first active session, the application server having a servlet to search for a second active session for the user with the second domain, if no second active session is found, then to determine whether the first session with the first domain is active, and if an active first session is found with the first domain, then to establish a sub-session with the second domain based on and dependent upon the active first session with the first domain, the application server to provide the requested content to the user based on the established sub-session with the second domain.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The apparatus of claim 8, wherein the servlet comprises a cookie storage to store cookies for valid sessions with the first and second domains.
  - 10. The apparatus of claim 8, further comprising a permissions storage and wherein the application server retrieves permissions of the user on the second domain from the permissions storage and provides the requested content if the content is allowed by the retrieved permissions.
  - 11. The apparatus of claim 8, wherein the first domain comprises content accessible to users and pointers to content in the second domain.
  - 12. The apparatus of claim 11, wherein the second domain content comprises content that is not available on the first domain.

13. A non-transitory machine-readable medium carrying one or more sequences of instructions for providing content of a second domain from a first domain, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving an authentication of a user to the first domain;
  
  establishing a first active session for the user with the first domain by an application server, the application server being a computing system connected to the first domain and a second domain;
  
  receiving a request from the user to access content from the second domain at the application server after establishing the first active session;
  
  searching for a second active session for the user with the second domain;
  
  if no second active session is found with the second domain, then determining whether the first session with the first domain is active;
  
  if the first active session with the first domain is found, then establishing a sub-session with the second domain based on and dependent upon the active session with the first domain by the application server; and
  
  providing the requested content through the application server to the user based on the established sub-session with the second domain.
- View Dependent Claims (14, 15)
- - 14. The machine-readable medium of claim 13, the second domain session comprises a child session.
  - 15. The machine-readable medium of claim 13, wherein the second domain contains content uploaded from users other than the user and a system administrator.

16. An apparatus for providing content of a second domain from a first domain, the apparatus comprising:
- a hardware processor; and
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving an authentication of a user to a first domain by an application server, the application server being a computing system connected to the first domain and a second domain;
  
  establishing a first active session for the user with the first domain by the application server based on the authentication;
  
  receiving a request from the user to access content from the second domain at the application server after establishing the first active session;
  
  searching for a second active session for the user with the second domain;
  
  if no second active session with the second domain is found, then determining whether the first session with the first domain is active;
  
  if the first active session with the first domain is found, then establishing a sub-session with the second domain based on and dependent upon the active session with the first domain by the application server; and
  
  providing the requested content through the application server to the user based on the established sub-session with the second domain.
- View Dependent Claims (17)
- - 17. The apparatus of claim 16, wherein the steps further comprise retrieving permissions of the user on the second domain only if there is an active session with the second domain and wherein providing the requested content comprises providing the requested content if the content is allowed by the retrieved permissions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Chabbewal, Harsimranjit Singh, Vangpat, Alan, Mortimore, William Charles Jr.
Primary Examiner(s)
Mehedi, Morshed

Application Number

US13/090,095
Publication Number

US 20120272292A1
Time in Patent Office

875 Days
Field of Search

726 3- 4
US Class Current

726/4
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/1466   Active attacks involving in...

Method and apparatus for protecting against attacks from outside content

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

147 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for protecting against attacks from outside content

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links