Adaptive timeouts for security credentials
First Claim
1. A system for managing session information, comprising:
- at least one processor; and
memory storing instructions that, when executed by the at least one processor, cause the system to;
receive a first request from a client device for access to at least one resource, the first request including at least one security credential for the client device;
determine at least one first tolerance factor indicating a level of tolerance for incorrect information for a session;
authenticate the client device based at least in part on the at least one security credential and the at least one first tolerance factor;
initiate the session and send the client device a session token for the session, the session token including a timestamp indicating a time at which the session token was provided;
receive a second request from the client device, the second request including the session token;
determine an age of the session based at least in part upon a time of initiation of the session and a current time;
set a first period of time for a first inactivity window for the session;
process the second request and generate at least one second tolerance factor based at least in part on determining that the timestamp falls within the first period of time of the first inactivity window for the session, the at least one second tolerance factor indicating a second level of tolerance for incorrect information for the session and replacing the at least one first tolerance factor;
send a first response to the client device including an updated session token including an updated timestamp; and
set a second period of time for a second inactivity window for the session, the second period of time varying from the first period of time according to a function based at least in part upon the age of the session.
1 Assignment
0 Petitions
Accused Products
Abstract
Session-specific information stored to a cookie or other secure token can be selected and/or caused to vary over time, such that older copies will become less useful over time. Such an approach reduces the ability of entities obtaining a copy of the cookie from performing unauthorized tasks on a session. A cookie received with a request can contain a timestamp and an operation count for a session that may need to fall within an acceptable range of the current values in order for the request to be processed. A cookie returned with a response can be set to the correct value or incremented from the previous value based on various factors. The allowable bands can decrease with age of the session, and various parameter values such as a badness factor for a session can be updated continually based on the events for the session.
-
Citations
24 Claims
-
1. A system for managing session information, comprising:
-
at least one processor; and memory storing instructions that, when executed by the at least one processor, cause the system to; receive a first request from a client device for access to at least one resource, the first request including at least one security credential for the client device; determine at least one first tolerance factor indicating a level of tolerance for incorrect information for a session; authenticate the client device based at least in part on the at least one security credential and the at least one first tolerance factor; initiate the session and send the client device a session token for the session, the session token including a timestamp indicating a time at which the session token was provided; receive a second request from the client device, the second request including the session token; determine an age of the session based at least in part upon a time of initiation of the session and a current time; set a first period of time for a first inactivity window for the session; process the second request and generate at least one second tolerance factor based at least in part on determining that the timestamp falls within the first period of time of the first inactivity window for the session, the at least one second tolerance factor indicating a second level of tolerance for incorrect information for the session and replacing the at least one first tolerance factor; send a first response to the client device including an updated session token including an updated timestamp; and set a second period of time for a second inactivity window for the session, the second period of time varying from the first period of time according to a function based at least in part upon the age of the session. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
receiving a request from a client device for access to at least one resource, the request including a session token for a session; determining at least one first tolerance factor indicating a level of tolerance for incorrect information for a session for the session; determining a timestamp stored in the session token, the timestamp indicating a time at which the session token was issued; determining an age of the session corresponding to the request; setting an inactivity limit for the session, a period of time of the inactivity limit varying in time from a previous inactivity limit according to a function based at least in part upon the age of the session; and processing the request and generating at least one second tolerance factor based at least in part on determining that the request is received within the period of time of the inactivity limit, the at least one second tolerance factor indicating a second level of tolerance for incorrect information for the session and replacing the at least one first tolerance factor. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computing device, comprising:
-
at least one processor; and a memory device including instructions that, when executed by the at least one processor, cause the computing device to; receive a request from a client device, the request including a session token for a session; determine at least one first tolerance factor indicating a level of tolerance for incorrect information for the session; determine a timestamp stored in the session token, the timestamp indicating a time at which the session token was issued; determine an age of the session corresponding to the request; set an inactivity limit for the session, a period of time of the inactivity limit varying in time from a previous inactivity limit according to a function based at least in part upon the age of the session; and process the request and generate the at least one second tolerance factor based at least in part on determining that the request is received within the inactivity limit, the at least one second tolerance factor indicating a second level of tolerance for incorrect information and replacing the at least one first tolerance factor. - View Dependent Claims (18, 19, 20)
-
-
21. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
receive a request from a client device, the request including a session token for a session; determine at least one first tolerance factor indicating a level of tolerance for incorrect information for the session; determine a timestamp based on the session token, the timestamp indicating a time at which the session token was issued; determine an age of the session corresponding to the request; set an inactivity limit for the session, a period of time of the inactivity limit varying in time from a previous inactivity limit according to a function based at least in part upon the age of the session; and process the request and generate at least one second tolerance factor based at least in part on determining that the request is received within the inactivity limit, the at least one second tolerance factor indicating a second level of tolerance for incorrect information and replacing the at least one first tolerance factor. - View Dependent Claims (22, 23, 24)
-
Specification