System and method for authentication of users in a secure computer system
First Claim
1. A method of authenticating a user in a secure computer system, the method comprising:
- in an enrollment session between the secure computer system and a client computer of a user,storing, using hardware processor, a first user identifier on a computer-readable storage medium of the secure computer system, and associating the first user identifier with the user,storing a second user identifier, unique to the user and selected by the secure computer system and that is not related to the client computer, on the computer-readable storage medium of the secure computer system, and associating the second user identifier with the user,creating a persistent object containing the second user identifier, encrypting the persistent object and storing the encrypted persistent object at the client computer, andstoring request header attributes from the client computer received during the enrollment session on the computer-readable storage medium of the secure computer system, and associating the request header attributes received during the enrollment process with the first and second user identifiers; and
in a subsequent sign-on session between the secure computer system and the client computer,receiving from the client computer by the secure computer system a request for a sign-on page;
transmitting from the secure computer system to the client computer a prompt for the first user identifier;
in response to said prompt, receiving from the client computer by the secure computer system a request includingthe first user identifier,the second user identifier stored in the object stored at the client computer, anda plurality of current request header attributes;
authenticating at the secure computer system the first user identifier;
authenticating at the secure computer system the second user identifier;
comparing the transmitted plurality of current request header attributes with the plurality of request header attributes received during the enrollment session, stored at the computer system and associated with the first user identifier; and
if the first and second user identifiers are authenticated, and if at least some of the transmitted request header attributes correspond to the stored request header attributes, transmitting a success message by the secure computer system to the client computer to be viewed by the user and allowing the user into the secure computer system, wherein the secure computer system does not modify the persistent object created in the enrollment session or create a new persistent object.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for authenticating a user in a secure computer system. A client computer transmits a request for a sign-on page, the secure computer system responds by transmitting a prompt for a first user identifier, and the client computer transmits a request including a first identifier, a second identifier stored in an object stored at the client computer and a plurality of request header attributes. A server module authenticates the first and second user identifiers, and compares the transmitted plurality of request header attributes with request header attributes stored at the computer system and associated with the first and second user identifiers. If the first and second user identifiers are authenticated, and if a predetermined number of transmitted request header attributes match stored request header attributes, the server software module transmits a success message, and the user is allowed to access the secure computer system.
81 Citations
40 Claims
-
1. A method of authenticating a user in a secure computer system, the method comprising:
-
in an enrollment session between the secure computer system and a client computer of a user, storing, using hardware processor, a first user identifier on a computer-readable storage medium of the secure computer system, and associating the first user identifier with the user, storing a second user identifier, unique to the user and selected by the secure computer system and that is not related to the client computer, on the computer-readable storage medium of the secure computer system, and associating the second user identifier with the user, creating a persistent object containing the second user identifier, encrypting the persistent object and storing the encrypted persistent object at the client computer, and storing request header attributes from the client computer received during the enrollment session on the computer-readable storage medium of the secure computer system, and associating the request header attributes received during the enrollment process with the first and second user identifiers; and in a subsequent sign-on session between the secure computer system and the client computer, receiving from the client computer by the secure computer system a request for a sign-on page; transmitting from the secure computer system to the client computer a prompt for the first user identifier; in response to said prompt, receiving from the client computer by the secure computer system a request including the first user identifier, the second user identifier stored in the object stored at the client computer, and a plurality of current request header attributes; authenticating at the secure computer system the first user identifier; authenticating at the secure computer system the second user identifier; comparing the transmitted plurality of current request header attributes with the plurality of request header attributes received during the enrollment session, stored at the computer system and associated with the first user identifier; and if the first and second user identifiers are authenticated, and if at least some of the transmitted request header attributes correspond to the stored request header attributes, transmitting a success message by the secure computer system to the client computer to be viewed by the user and allowing the user into the secure computer system, wherein the secure computer system does not modify the persistent object created in the enrollment session or create a new persistent object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of enrolling a user in a secure computer system, the method comprising:
-
receiving, using hardware processor, from a client computer of a user by the secure computer system a request for an enrollment page, the request including a request header containing a plurality of device attributes specific to said client computer; transmitting from the secure computer system to the client computer a prompt for a user identifier; receiving by the secure computer system from the client computer the user identifier; validating the user identifier; authenticating the user identifier; transmitting from the secure computer system to the client computer a request for a user identification and password; receiving from the client computer and authenticating the user identification and password; storing the user identification and password in a computer-readable storage medium associated with the secure computer system in a file containing the device attributes and user identifier; creating a serial number and saving the serial number in the file; encrypting the serial number; creating a browser cookie containing the encrypted serial number and storing the browser cookie on the client computer; creating a local shared object containing the encrypted serial number and storing the local shared object on the client computer; comparing the transmitted plurality of current request header attributes with the plurality of request header attributes received during the enrollment session, stored at the computer system and associated with the first user identifier; and if the first and second user identifiers are authenticated, and if at least some of the transmitted request header attributes correspond to the stored request header attributes, transmitting a success message by the secure computer system to the client computer to be viewed by the user and allowing the user into the secure computer system, wherein the secure computer system does not modify the persistent object created in the enrollment session or create a new persistent object. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A system for authenticating a user in a secure computer system, the system comprising:
-
a server having at least one hardware processor, the server associated with the secure computer system and having a module configured to establish communication over a network with a client computer operable by a user, the server having a computer-readable storage medium; the module being configured to transmit from the server to the client computer a prompt for a first user identifier; the module being configured to receive from the client software module, in response to the prompt, the first user identifier, a second user identifier stored in an encrypted persistent object stored in the client computer, and a plurality of request header attributes; the module being configured to validate the first user identifier and the second user identifier, and compare the transmitted plurality of request header attributes to a plurality of request header attributes in the computer-readable storage medium and associated with the first identifier; the module being configured such that, if the first and second user identifiers are validated by the module, and if the transmitted request header attributes correspond to the stored request header attributes, the module allows the client computer access to the secure computer system. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system for authenticating a client computer of a user in a secure computer system, the system comprising:
-
a server having at least one hardware processor, the server associated with the secure computer system in communication with the client computer and having a computer-readable storage medium; the server having a module configured to transmit from the server over a network during a sign-on session between the secure computer system and the client computer in response to a request for a sign-on page a prompt for a first user identifier; the module configured to receive from the client computer over the network in response to the prompt, a request including the first user identifier, a second user identifier stored in an object stored at the client computer, and a plurality of request header attributes; and the module configured to authenticate the first user identifier and the second user identifier and compare the plurality of request header attributes transmitted from the client computer with a plurality of request header attributes in the computer-readable storage medium and associated with the first identifier; whereby, if the first and second user identifiers are authenticated the server software module, and if at least some of the transmitted request header attributes correspond to the stored request header attributes, the server software module is configured to allow the client computer access to the secure computer system, wherein the secure computer system does not modify the persistent object created in the enrollment session or create a new persistent object.
-
-
30. A system of authenticating a user in a secure computer system, the system comprising:
-
a server having at least one hardware processor, the server associated with the secure computer system having a server software module configured to communicate over a network with a client computer of the user, the server having storage containing information pertaining to the user; the server software module being configured to receive from the client computer during an enrollment session a request for an enrollment page, the request including a request header containing a plurality of device attributes specific to the client computer; the server software module configured to transmit to the client computer a prompt for a user identifier, receive the user identifier from the client computer, validate the user identifier, authenticate the user identifier, transmit from the server a request for a user identification and password, validate the user identification and password received from the client computer, and store the user identification and password on the computer-readable storage medium; the module configured to receive from the client computer a request to register the client computer; the module configured such that, in response to the request to register, the module creates a serial number unique to the user and saves the serial number and the request attributes on the computer-readable storage medium associated with the user identification and password, stores the serial number on the client computer, and allows the client computer access to the secure computer system; and the module being configured to, in a subsequent sign-on session; receive from the client computer a request for a sign-on page; transmit from the computer system to the client computer a prompt for the first user identifier; in response to said prompt, receive from the client computer a request including the first user identifier, the serial number stored in at least one of a browser cookie and a local shared object stored at the client computer and a plurality of current request header attributes; authenticate at the secure computer system the first user identifier; authenticate at the secure computer system the second user identifier; compare the transmitted plurality of current request header attributes with the plurality of request header attributes stored at the secure computer system and associated with the first and second identifiers; and the secure computer system being configured such that, if the first and second user identifiers are validated, and if the transmitted request header attributes correspond to the stored request header attributes, the user computer is allowed to access the secure computer system.
-
-
31. A method of authenticating a user in a secure computer system, the method comprising:
-
receiving from a client computer of a user by the secure computer system over a network a request for an enrollment page, the request including a request header containing a plurality of device attributes specific to said client computer; transmitting from the secure computer system to the client computer a prompt for a user identifier; the secure computer system receiving from the client computer the user identifier, validating the user identifier, authenticating the user identifier, and transmitting to the client computer a request for a user identification and password; the secure computer system receiving from the client computer a user identification and password, validating the user identification and password and storing the user identification and password in computer-readable storage medium associated therewith; the secure computer system receiving from the client computer a request to register the client computer; the secure computer system creating a serial number unique to the user and storing the serial number and request header in the computer-readable storage medium associated with the user identification and password; and the secure computer system storing the serial number on the client computer; allowing the user access to the secure computer system; and in a subsequent sign-on session; the secure computer system receiving from the client computer a request for a sign-on page; transmitting from the computer system to the client computer a prompt for the first user identifier; in response to said prompt, the secure computer system receiving from the client computer a request including the first user identifier, the serial number stored in at least one of a browser cookie and a local shared object stored at the client computer and a plurality of current request header attributes; authenticating at the secure computer system the first user identifier; authenticating at the secure computer system the second user identifier; the secure computer system comparing the transmitted plurality of current request header attributes with the plurality of request header attributes stored at the secure computer system and associated with the first and second identifiers; and the secure computer system being configured such that, if the first and second user identifiers are validated, and if the transmitted request header attributes correspond to the stored request header attributes, the user computer is allowed to access the secure computer system. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
-
Specification