Tolerance factor-based secret decay
First Claim
1. A system for managing session information, comprising:
- at least one processor; and
memory storing instructions that, when executed by the at least one processor, cause the system to;
receiving a first request including at least one security credential for a client device;
in response to authenticating the client device using the at least one security credential, providing a response including a session token, the session token including at least a timestamp and an operation count for the session, the operation count for the session configured to be updated in response to operations performed for the session;
receiving a second request including the session token;
decreasing the value of a tolerance factor without processing the request when at least one of the timestamp falls outside the first allowable range of the current time for the session or the operation count from the session token falls outside the second allowable range of the current operation count for the session, the first and second allowable ranges each being determined based at least in part upon the tolerance factor for the session; and
when the timestamp falls within a first allowable range of a current time for the session and the operation count from the cookie falls within a second allowable range of a current operation count for the session;
processing the second request;
increasing a value of the tolerance factor if the tolerance factor is below a maximum value; and
sending a response to the second request including an updated session token, the updated session token including an updated timestamp and an updated operation count.
1 Assignment
0 Petitions
Accused Products
Abstract
Session-specific information stored to a cookie or other secure token can be selected and/or caused to vary over time, such that older copies will become less useful over time. Such an approach reduces the ability of entities obtaining a copy of the cookie from performing unauthorized tasks on a session. A cookie received with a request can contain a timestamp and an operation count for a session that may need to fall within an acceptable range of the current values in order for the request to be processed. A cookie returned with a response can be set to the correct value or incremented from the previous value based on various factors. The allowable bands can decrease with age of the session, and various parameter values such as a badness factor for a session can be updated continually based on the events for the session.
31 Citations
24 Claims
-
1. A system for managing session information, comprising:
-
at least one processor; and memory storing instructions that, when executed by the at least one processor, cause the system to; receiving a first request including at least one security credential for a client device; in response to authenticating the client device using the at least one security credential, providing a response including a session token, the session token including at least a timestamp and an operation count for the session, the operation count for the session configured to be updated in response to operations performed for the session; receiving a second request including the session token; decreasing the value of a tolerance factor without processing the request when at least one of the timestamp falls outside the first allowable range of the current time for the session or the operation count from the session token falls outside the second allowable range of the current operation count for the session, the first and second allowable ranges each being determined based at least in part upon the tolerance factor for the session; and when the timestamp falls within a first allowable range of a current time for the session and the operation count from the cookie falls within a second allowable range of a current operation count for the session; processing the second request; increasing a value of the tolerance factor if the tolerance factor is below a maximum value; and sending a response to the second request including an updated session token, the updated session token including an updated timestamp and an updated operation count. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
receiving a request from a client device, the request including a session token; determining at least one session parameter value for the session token; determining a tolerance factor for a session associated with the session token; determining whether the session token is acceptable based at least in part on the at least one session parameter value and the tolerance factor, wherein the tolerance factor is increased when the session token is acceptable, and wherein the tolerance factor is decreased when the session token is not acceptable; processing the request when the session token is determined to be acceptable; and updating the tolerance factor based at least in part upon whether the session token is determined to be acceptable. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computing device, comprising:
-
at least one processor; and a memory device including instructions that, when executed by the at least one processor, cause the computing device to; receive a request including a session token; determine at least one session parameter value stored in the session token; determine a tolerance factor for a session associated with the session token; determine whether the session token is acceptable based at least in part on the at least one session parameter value and the tolerance factor, wherein the tolerance factor is increased when the session token is acceptable, and wherein the tolerance factor is decreased when the session token is not acceptable; process the request when the session token is determined to be acceptable; and update the tolerance factor based at least in part upon whether the session token is determined to be acceptable. - View Dependent Claims (18, 19, 20, 21)
-
-
22. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
receive a request from a client device, the request including a session token; determine a session parameter value stored in the session token; determine a tolerance factor for a session associated with the session token; determine whether the session token is acceptable based at least in part on the at least one session parameter value and the tolerance factor, wherein the tolerance factor is increased when the session token is acceptable, and wherein the tolerance factor is decreased when the session token is not acceptable; process the request when the session token is determined to be acceptable; and update the tolerance factor based at least in part upon whether the session token is determined to be acceptable. - View Dependent Claims (23, 24)
-
Specification