Certificate-based cookie security

US 8,707,028 B2
Filed: 10/02/2012
Issued: 04/22/2014
Est. Priority Date: 07/13/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A web security method, comprising:

during a first secure transport session with a first server, receiving a cookie having an attribute that identifies a first server certificate associated with the first server, the attribute having a value for use in determining a characteristic associated with a second server certificate distinct from the first server certificate;

during setup of a second secure transport session with a second server distinct from the first server;

receiving the second server certificate, the second server certificate associated with the second server;

comparing information in the second server certificate to the value of the attribute; and

responsive to a match between the information in the second server certificate and the value of the attribute, sending to the second server the cookie received from the first server during the first secure transport session to facilitate completion of the setup of the second secure transport session;

wherein at least one of the comparing and sending steps are carried out by software executing in a hardware element.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cookie attribute for use during secure HTTP transport sessions. This attribute points to a server-supplied certificate and, in particular, a digital certificate. The cookie attribute includes a value, and that value is designed to correspond to one or more content fields in the digital certificate. During a first https session, a first web application executing on a first server provides a web browser with the cookie having the server certificate identifier attribute set to a value corresponding to a content field in a server certificate. Later, when the browser is accessing a second server during a second https session, the browser verifies that the value in the cookie matches a corresponding value in the server certificate received from the second server before sending the cookie to the second server. This approach ensures that the cookie is presented only over specified https connections and to trusted organizations.

10 Citations

11 Claims

1. A web security method, comprising:
- during a first secure transport session with a first server, receiving a cookie having an attribute that identifies a first server certificate associated with the first server, the attribute having a value for use in determining a characteristic associated with a second server certificate distinct from the first server certificate;
  
  during setup of a second secure transport session with a second server distinct from the first server;
  
  receiving the second server certificate, the second server certificate associated with the second server;
  
  comparing information in the second server certificate to the value of the attribute; and
  
  responsive to a match between the information in the second server certificate and the value of the attribute, sending to the second server the cookie received from the first server during the first secure transport session to facilitate completion of the setup of the second secure transport session;
  
  wherein at least one of the comparing and sending steps are carried out by software executing in a hardware element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as described in claim 1 wherein the first server and the second server are associated with a same organization.
  - 3. The method as described in claim 1 wherein the attribute is a server certificate identifier attribute.
  - 4. The method as described in claim 1 wherein the value of the attribute is a content value of a digital certificate.
  - 5. The method as described in claim 4 wherein the digital certificate is an X.509 digital certificate.
  - 6. The method as described in claim 1 wherein the cookie also includes a domain attribute.
  - 7. The method as described in claim 6 further including verifying that the second server is associated with a domain identified in the domain attribute prior to sending the cookie to the second server.
  - 8. The method as described in claim 1 wherein the secure transport is SSL/TLS.
  - 9. The method as described in claim 1 wherein the value represents data from two or more fields of the second server certificate concatenated together.
  - 10. The method as described in claim 1 wherein the value represents data from two or more fields of the second server certificate concatenated together augmented with additional information other than data derived from the second server certificate.
  - 11. The method as described in claim 1 wherein the characteristic is that the second server certificate is associated with a trusted server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HCL Technologies Limited
Original Assignee
International Business Machines Corporation
Inventors
Wicker, Jason M.
Primary Examiner(s)
Lemma, Samson

Application Number

US13/633,484
Publication Number

US 20130042104A1
Time in Patent Office

567 Days
Field of Search

713/150, 713/151, 713/156, 713/160, 713/175, 713/176, 726/3, 726/4, 726/26, 726/10, 726/14
US Class Current

713/156
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 63/0823   using certificates cryptogr...

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

Certificate-based cookie security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

11 Claims

Specification

Use Cases

Quick Links

Others

Certificate-based cookie security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

11 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others