Secret variation for network sessions

US 9,038,148 B1
Filed: 08/23/2012
Issued: 05/19/2015
Est. Priority Date: 08/23/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of managing session information, comprising:

receiving a first request from a client device, the first request including at least one security credential and first identifying information describing properties of the client device;

in response to authenticating the client device using the at least one security credential, providing a response to the client device including a session token, the session token including at least an operation count for the session, the operation count for the session configured to be updated in response to operations performed for the session, and a timestamp for the session, the timestamp for the session indicating a time at which the session token was issued;

receiving a second request including the session token and second identifying information describing properties of the client device;

processing the second request when the timestamp falls within a first allowable range of a current time for the session and when the operation count from the session token falls within a second allowable range of a current operation count for the session; and

in response to processing the second request, sending a response including an updated session token, the updated session token including an updated timestamp and an updated operation count, the value of the updated operation count determined by comparing the first and second identifying information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Session-specific information stored to a cookie or other secure token can be selected and/or caused to vary over time, such that older copies will become less useful over time. Such an approach reduces the ability of entities obtaining a copy of the cookie from performing unauthorized tasks on a session. A cookie received with a request can contain a timestamp and an operation count for a session that may need to fall within an acceptable range of the current values in order for the request to be processed. A cookie returned with a response can be set to the correct value or incremented from the previous value based on various factors. The allowable bands can decrease with age of the session, and various parameter values such as a badness factor for a session can be updated continually based on the events for the session.

41 Citations

View as Search Results

23 Claims

1. A computer-implemented method of managing session information, comprising:
- receiving a first request from a client device, the first request including at least one security credential and first identifying information describing properties of the client device;
  
  in response to authenticating the client device using the at least one security credential, providing a response to the client device including a session token, the session token including at least an operation count for the session, the operation count for the session configured to be updated in response to operations performed for the session, and a timestamp for the session, the timestamp for the session indicating a time at which the session token was issued;
  
  receiving a second request including the session token and second identifying information describing properties of the client device;
  
  processing the second request when the timestamp falls within a first allowable range of a current time for the session and when the operation count from the session token falls within a second allowable range of a current operation count for the session; and
  
  in response to processing the second request, sending a response including an updated session token, the updated session token including an updated timestamp and an updated operation count, the value of the updated operation count determined by comparing the first and second identifying information.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the updated operation count includes one of:
    - the current operation count for the session or an incremented count based on the operation count received in the session token.
  - 3. The computer-implemented method of claim 1, wherein a value of the updated operation count is determined based at least in part upon a difference of the operation count in the received session token from the current operation count for the session.
  - 4. The computer-implemented method of claim 1, further comprising:
    - requesting the at least one security credential in a subsequent request based at least in part on the current time and the current operation count.

5. A computer-implemented method, comprising:
- receiving a request from a client device, the request including a session token and current identifying information describing properties of the client device;
  
  determining a session parameter value stored in the session token;
  
  when the session parameter value matches a current value for a corresponding session parameter for the session within an allowable amount of deviation;
  
  updating the current value of the session parameter for the session; and
  
  providing a response to the client device upon processing the request, the response including an updated session parameter value, the updated session parameter value comprising at least one of the current value of the session parameter or an incremented value of the session parameter value based at least in part upon how closely the session parameter value matched the current value for the session parameter within the allowable amount of deviation and how closely the current identifying information associated with the client device matches past identifying information describing properties of the client device;
  
  wherein the session parameter includes an operation count for the session, the operation count incremented in response to each matching of a session parameter value in a session token to the current value for the session parameter.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 6. The computer-implemented method of claim 5, wherein a session token is capable of being received from at least one additional device, and wherein increments of the session parameter due to session tokens received from the at least one additional device are capable of causing the session parameter value stored in the session token for the client device to fall outside the allowable amount of deviation.
  - 7. The computer-implemented method of claim 5, further comprising:
    - storing information for up to a determined number of most recently received requests, wherein the allowable amount of deviation for a received request is based at least in part upon a number of times information for a device associated with the received request appears in the stored information.
  - 8. The computer-implemented method of claim 7, further comprising:
    - masking at least a portion of identifying information for one or more devices such that the devices appear as a single device in the stored information.
  - 9. The computer-implemented method of claim 5, further comprising:
    - determining an amount of time that has passed between a timestamp of the session token and a current time; and
      
      processing the request only when the amount of time falls within an allowable period of inactivity.
  - 10. The computer-implemented method of claim 5, wherein the session token comprises a Web cookie capable of being stored by a browser executing on the client device.
  - 11. The computer-implemented method of claim 5, further comprising:
    - receiving an initial request from the client device, the initial request including at least one security credential for the client device;
      
      in response to authenticating the client device using the at least one security credential, providing the session token to the client device, the session token including an initial operation count for the session.
  - 12. The computer-implemented method of claim 11, further comprising:
    - prompting the client device to provide the at least one security credential when the session parameter value does not match the current value for the session parameter for the session within the allowable amount of deviation.
  - 13. The computer-implemented method of claim 5, wherein at least the operation count in the session token is signed using a key for the session.
  - 14. The computer-implemented method of claim 5, wherein the allowable amount of deviation is capable of being updated in response to changing conditions in the session.
  - 15. The computer-implemented method of claim 5, wherein the allowable amount of deviation for the session parameter is based at least in part upon a type of operation to be performed for the request.
  - 16. The computer-implemented method of claim 5, wherein an amount the current value of the session parameter for the session is updated is based at least in part upon a type of operation to be performed for the request.
  - 17. The computer-implemented method of claim 5, further comprising:
    - enabling the client device to update the session parameter value.

18. A computing device, comprising:
- at least one processor; and
  
  a memory device including instructions that, when executed by the at least one processor, cause the computing device to;
  
  receive a request from a client device, the request including a session token and current identifying information describing properties of the client device;
  
  determine a session parameter value stored in the session token;
  
  process the request and update the current value of the session parameter for the session when the session parameter value matches a current value for the session parameter for the session within an allowable amount of deviation; and
  
  provide a response to the client device upon processing the request, the response including an updated session parameter value, the updated session parameter value comprising at least one of the current value of the session parameter or an incremented value of the session parameter value based at least in part upon how closely the session parameter value matched the current value for the session parameter within the allowable amount of deviation and how closely the current identifying information associated with the client device matches past identifying information describing properties of the client device;
  
  wherein the session parameter includes an operation count for the session, the operation count incremented in response to each matching of a session parameter value in a session token to the current value for the session parameter.
- View Dependent Claims (19, 20)
- - 19. The computing device of claim 18, wherein the instructions when executed further cause the computing device to:
    - store information for up to a determined number of most recently received requests, wherein the allowable amount of deviation for a received request is based at least in part upon a number of times information for a device associated with the received request appears in the stored information.
  - 20. The computing device of claim 18, wherein the instructions when executed further cause the computing device to:
    - determine an amount by which to increase the current value of the session parameter for the session based at least in part upon a type of operation performed for the request.

21. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- receive a request from a client device, the request including a session token and current identifying information describing properties of the client device;
  
  determine a session parameter value stored in the session token;
  
  process the request and update the current value of the session parameter for the session when the session parameter value matches a current value for the session parameter for the session within an allowable amount of deviation; and
  
  provide a response to the client device upon processing the request, the response including an updated session parameter value, the updated session parameter value comprising at least one of the current value of the session parameter or an incremented value of the session parameter value based at least in part upon how closely the session parameter value matched the current value for the session parameter within the allowable amount of deviation and how closely the current identifying information associated with the client device matches past identifying information describing properties of the client device;
  
  wherein the session parameter includes an operation count for the session, the operation count incremented in response to each matching of a session parameter value in a session token to the current value for the session parameter.
- View Dependent Claims (22, 23)
- - 22. The non-transitory computer-readable storage medium of claim 21, wherein the instructions when executed further cause the computing device to:
    - receive an initial request from the client device, the initial request including at least one security credential for the client device;
      
      in response to authenticating the client device using the at least one security credential, provide the session token to the client device, the session token including an initial operation count for the session.
  - 23. The non-transitory computer-readable storage medium of claim 22, wherein the instructions when executed further cause the computing device to:
    - signal the client device to provide the at least one security credential in a subsequent request when the session parameter value does not match the current value for the session parameter for the session within the allowable amount of deviation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Allen, Nicholas Alexander, Ilac, Cristian M.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Jhaveri, Jayesh

Application Number

US13/593,257
Time in Patent Office

999 Days
Field of Search

713/151, 713/155, 713/159, 713/185, 726 5- 7, 726/9, 726 27- 29
US Class Current

726/5
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/33   using certificates

H04L 63/00   Network architectures or ne...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/108   when the policy decisions a...

H04L 67/14   Session management for real...

H04L 67/146   Markers for unambiguous ide...

H04L 9/00   Cryptographic mechanisms or...

Secret variation for network sessions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Secret variation for network sessions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links