Adaptive timeouts for security credentials

US 9,203,818 B1
Filed: 08/23/2012
Issued: 12/01/2015
Est. Priority Date: 08/23/2012
Status: Active Grant

First Claim

Patent Images

1. A system for managing session information, comprising:

at least one processor; and

memory storing instructions that, when executed by the at least one processor, cause the system to;

receive a first request from a client device for access to at least one resource, the first request including at least one security credential for the client device;

determine at least one first tolerance factor indicating a level of tolerance for incorrect information for a session;

authenticate the client device based at least in part on the at least one security credential and the at least one first tolerance factor;

initiate the session and send the client device a session token for the session, the session token including a timestamp indicating a time at which the session token was provided;

receive a second request from the client device, the second request including the session token;

determine an age of the session based at least in part upon a time of initiation of the session and a current time;

set a first period of time for a first inactivity window for the session;

process the second request and generate at least one second tolerance factor based at least in part on determining that the timestamp falls within the first period of time of the first inactivity window for the session, the at least one second tolerance factor indicating a second level of tolerance for incorrect information for the session and replacing the at least one first tolerance factor;

send a first response to the client device including an updated session token including an updated timestamp; and

set a second period of time for a second inactivity window for the session, the second period of time varying from the first period of time according to a function based at least in part upon the age of the session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Session-specific information stored to a cookie or other secure token can be selected and/or caused to vary over time, such that older copies will become less useful over time. Such an approach reduces the ability of entities obtaining a copy of the cookie from performing unauthorized tasks on a session. A cookie received with a request can contain a timestamp and an operation count for a session that may need to fall within an acceptable range of the current values in order for the request to be processed. A cookie returned with a response can be set to the correct value or incremented from the previous value based on various factors. The allowable bands can decrease with age of the session, and various parameter values such as a badness factor for a session can be updated continually based on the events for the session.

Citations

24 Claims

1. A system for managing session information, comprising:
- at least one processor; and
  
  memory storing instructions that, when executed by the at least one processor, cause the system to;
  
  receive a first request from a client device for access to at least one resource, the first request including at least one security credential for the client device;
  
  determine at least one first tolerance factor indicating a level of tolerance for incorrect information for a session;
  
  authenticate the client device based at least in part on the at least one security credential and the at least one first tolerance factor;
  
  initiate the session and send the client device a session token for the session, the session token including a timestamp indicating a time at which the session token was provided;
  
  receive a second request from the client device, the second request including the session token;
  
  determine an age of the session based at least in part upon a time of initiation of the session and a current time;
  
  set a first period of time for a first inactivity window for the session;
  
  process the second request and generate at least one second tolerance factor based at least in part on determining that the timestamp falls within the first period of time of the first inactivity window for the session, the at least one second tolerance factor indicating a second level of tolerance for incorrect information for the session and replacing the at least one first tolerance factor;
  
  send a first response to the client device including an updated session token including an updated timestamp; and
  
  set a second period of time for a second inactivity window for the session, the second period of time varying from the first period of time according to a function based at least in part upon the age of the session.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the instructions when executed further cause the system to:
    - reject a subsequent request when the subsequent request for the session is not received within the second period of time of the second inactivity window.
  - 3. The system of claim 1, wherein the function based at least in part upon the age of the session is at least one of a linear function or an exponential function.
  - 4. The system of claim 1, wherein multiple devices are capable of submitting requests for the session, and wherein the session stays active as long as a request is processed within the second inactivity window regardless of the age of the session.

5. A computer-implemented method, comprising:
- receiving a request from a client device for access to at least one resource, the request including a session token for a session;
  
  determining at least one first tolerance factor indicating a level of tolerance for incorrect information for a session for the session;
  
  determining a timestamp stored in the session token, the timestamp indicating a time at which the session token was issued;
  
  determining an age of the session corresponding to the request;
  
  setting an inactivity limit for the session, a period of time of the inactivity limit varying in time from a previous inactivity limit according to a function based at least in part upon the age of the session; and
  
  processing the request and generating at least one second tolerance factor based at least in part on determining that the request is received within the period of time of the inactivity limit, the at least one second tolerance factor indicating a second level of tolerance for incorrect information for the session and replacing the at least one first tolerance factor.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 6. The computer-implemented method of claim 5, further comprising:
    - sending an updated session token to the client device in response to processing the request, the updated session token including an updated timestamp corresponding at least approximately to a time that the request is received.
  - 7. The computer-implemented method of claim 5, wherein the inactivity limit is further capable of being adjusted based at least in part upon a state of the session.
  - 8. The computer-implemented method of claim 5, further comprising:
    - signaling the client device to provide at least one security credential to initiate a new session when the timestamp falls outside the inactivity limit with respect to a time that the request is received.
  - 9. The computer-implemented method of claim 5, further comprising:
    - storing information for up to a determined number of most recently received requests, wherein the inactivity limit for a received request is further based at least in part upon a number of times information for a device associated with the received request appears in the stored information.
  - 10. The computer-implemented method of claim 9, further comprising:
    - masking at least a portion of identifying information for one or more devices such that the devices appear as a single device in the stored information.
  - 11. The computer-implemented method of claim 5, wherein the session token includes a Web cookie capable of being stored by a browser executing on the client device.
  - 12. The computer-implemented method of claim 5, further comprising:
    - receiving an initial request from the client device, the initial request including at least one security credential for the client device;
      
      authenticating the client device using the at least one security credential and the at least one first tolerance factor; and
      
      providing the session token to the client device, the session token including the timestamp.
  - 13. The computer-implemented method of claim 5, wherein the timestamp in the session token is signed using a key for the session.
  - 14. The computer-implemented method of claim 5, wherein the inactivity limit for the session is based at least in part upon a type of operation to be performed for the request.
  - 15. The computer-implemented method of claim 5, further comprising:
    - terminating the session when the request or another request for the session is not received within the period of time of the inactivity limit.
  - 16. The computer-implemented method of claim 15, wherein multiple devices are capable of submitting requests for the session, and wherein the session stays active as long as at least one of the requests is processed within the period of time of the inactivity limit regardless of the age of the session.

17. A computing device, comprising:
- at least one processor; and
  
  a memory device including instructions that, when executed by the at least one processor, cause the computing device to;
  
  receive a request from a client device, the request including a session token for a session;
  
  determine at least one first tolerance factor indicating a level of tolerance for incorrect information for the session;
  
  determine a timestamp stored in the session token, the timestamp indicating a time at which the session token was issued;
  
  determine an age of the session corresponding to the request;
  
  set an inactivity limit for the session, a period of time of the inactivity limit varying in time from a previous inactivity limit according to a function based at least in part upon the age of the session; and
  
  process the request and generate the at least one second tolerance factor based at least in part on determining that the request is received within the inactivity limit, the at least one second tolerance factor indicating a second level of tolerance for incorrect information and replacing the at least one first tolerance factor.
- View Dependent Claims (18, 19, 20)
- - 18. The computing device of claim 17, wherein the instructions when executed further cause the computing device to:
    - send an updated session token to the client device in response to processing the request, the updated session token including an updated timestamp corresponding approximately to a time that the request is received.
  - 19. The computing device of claim 17, wherein the inactivity limit for the session is based at least in part upon a type of operation to be performed for the request.
  - 20. The computing device of claim 17, wherein the instructions when executed further cause the computing device to:
    - store information for up to a determined number of most recently received requests, wherein the inactivity limit for a received request is further based at least in part upon a number of times information for a device associated with the received request appears in the stored information; and
      
      mask at least a portion of identifying information for one or more devices such that the devices appear as a single device in the stored information.

21. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- receive a request from a client device, the request including a session token for a session;
  
  determine at least one first tolerance factor indicating a level of tolerance for incorrect information for the session;
  
  determine a timestamp based on the session token, the timestamp indicating a time at which the session token was issued;
  
  determine an age of the session corresponding to the request;
  
  set an inactivity limit for the session, a period of time of the inactivity limit varying in time from a previous inactivity limit according to a function based at least in part upon the age of the session; and
  
  process the request and generate at least one second tolerance factor based at least in part on determining that the request is received within the inactivity limit, the at least one second tolerance factor indicating a second level of tolerance for incorrect information and replacing the at least one first tolerance factor.
- View Dependent Claims (22, 23, 24)
- - 22. The non-transitory computer-readable storage medium of claim 21, wherein the session token includes a Web cookie capable of being stored by a browser executing on the client device.
  - 23. The non-transitory computer-readable storage medium of claim 21, wherein the instructions when executed further cause the computing device to:
    - receive an initial request from the client device, the initial request including at least one security credential for the client device;
      
      authenticate the client device using the at least one security credential and the at least one first tolerance factor; and
      
      provide the session token to the client device, the session token including the timestamp.
  - 24. The non-transitory computer-readable storage medium of claim 21, wherein the instructions when executed further cause the computing device to:
    - send an updated session token to the client device in response to processing the request, the updated session token including an updated timestamp corresponding approximately to a time that the request is received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Allen, Nicholas Alexander, Ilac, Cristian M.
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/593,274
Time in Patent Office

1,195 Days
Field of Search

726/5
US Class Current

1/1
CPC Class Codes

H04L 2463/121   Timestamp

H04L 43/106   using time related informat...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0846   using time-dependent-passwo...

H04L 63/108   when the policy decisions a...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/14   Session management for real...

H04L 67/146   Markers for unambiguous ide...

Adaptive timeouts for security credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive timeouts for security credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links