HTTP authentication and authorization management

US 9,379,895 B2
Filed: 07/24/2008
Issued: 06/28/2016
Est. Priority Date: 07/24/2008
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a processing node comprising a communication device, a first request for a domain from a client browser, the client browser associated with a first communication address, wherein the processing node is part of a distributed security system located external from the client browser and external from the domain configured to monitor communications associated with the client browser in an overlay network, wherein the distributed security system is configured to detect and preclude security threats comprising malware, spyware, and other undesirable content sent from or requested by the client browser or the domain;

identifying a first authorized user data associated with the first request;

identifying at the processing node the first communication address associated with the client browser;

associating at the processing node the first communication address of the client browser with the first authorized user data;

encrypting at the processing node the first authorized user data and the associated first communication address to generate a first associated authorization data comprising an associate token, wherein the first communication address includes a port address used by the client browser to communicate with the processing node, thereby preventing intercepting of the first associated authorization data by an unauthorized client, wherein the encrypting uses a private key that is generated at the processing node;

providing the first associated authorization data to the client browser at the first communication address; and

processing a data request at the processing node for the domain from the client browser using the first associated authorization data, wherein the client browser is prevented, by the processing node, from accessing the domain without the first associated authorization data comprising the associate token and without a communication address associated with the data request matching the communication address associated with the associate token, wherein the first associated authorization data determines eligibility of the client browser to complete an action associated with the domain.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include a source processor that is used to identify the source associated with a request for authentication or authorization. The source processor can maintain the initial source associated with the request through the use of an association token. The associate token can be transmitted with each subsequent request that includes authentication or authorization data. The source processor can use the associate token to verify that the source associated with the initial request is the same as the source associated with subsequent authentication and authorization requests.

Citations

17 Claims

1. A method, comprising:
- receiving, at a processing node comprising a communication device, a first request for a domain from a client browser, the client browser associated with a first communication address, wherein the processing node is part of a distributed security system located external from the client browser and external from the domain configured to monitor communications associated with the client browser in an overlay network, wherein the distributed security system is configured to detect and preclude security threats comprising malware, spyware, and other undesirable content sent from or requested by the client browser or the domain;
  
  identifying a first authorized user data associated with the first request;
  
  identifying at the processing node the first communication address associated with the client browser;
  
  associating at the processing node the first communication address of the client browser with the first authorized user data;
  
  encrypting at the processing node the first authorized user data and the associated first communication address to generate a first associated authorization data comprising an associate token, wherein the first communication address includes a port address used by the client browser to communicate with the processing node, thereby preventing intercepting of the first associated authorization data by an unauthorized client, wherein the encrypting uses a private key that is generated at the processing node;
  
  providing the first associated authorization data to the client browser at the first communication address; and
  
  processing a data request at the processing node for the domain from the client browser using the first associated authorization data, wherein the client browser is prevented, by the processing node, from accessing the domain without the first associated authorization data comprising the associate token and without a communication address associated with the data request matching the communication address associated with the associate token, wherein the first associated authorization data determines eligibility of the client browser to complete an action associated with the domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the request is an http request.
  - 3. The method of claim 1, wherein receiving at a processing node a first request from a client browser comprises receiving at a processing node a first request for a domain from a client browser identifiable by a communication address.
  - 4. The method of claim 1, wherein the first communication address of the client browser is a port address.
  - 5. The method of claim 1, wherein the first associated authorization data is an http cookie.
  - 6. The method of claim 1, wherein the authorized user data is based on authentication data for a user.
  - 7. The method of claim 1, further comprising:
    - receiving at the processing node a second request for a domain, and a second associated authorization data;
      
      decrypting at the processing node the second associated authorization data into a second authorized user data and a second communication address;
      
      determining whether the second communication address is the same as the first communication address; and
      
      if the second communication address is the same as the first communication address, allowing the request;
      
      if the second communication address is not the same as the first communication address, requesting user authorization from the client browser at the second communication address.
  - 8. The method of claim 7, wherein requesting user authorization comprises:
    - requesting user authentication from the client browser at the second communication address; and
      
      generating authorized user data based on the requested user authentication.

9. A software stored in a non-transitory computer readable storage medium and comprising instructions executable by a data processing system and upon such execution cause the data processing system to perform operations comprising:
- receiving a request for a domain from a client browser, the client browser associated with a communication address;
  
  identifying authorized user data associated with the request;
  
  identifying the communication address associated with the client browser;
  
  associating the communication address of the client browser with the authorized user data;
  
  encrypting the authorized user data and the communication address to generate associated authorization data comprising an associate token, wherein the communication address includes a port address used by the client browser to communicate with the data processing system, thereby preventing intercepting of the first associated authorization data by an unauthorized client, wherein the encrypting uses a private key that is generated at a processing node;
  
  providing the associated authorization data to the client browser at the communication address; and
  
  processing a data request for the domain from the client browser using the associated authorization data, wherein the data request is provided to the processing node and not directly to the domain, wherein the processing node is part of a distributed security system located external from the client browser and external from the domain configured to monitor communications associated with the client browser in an overlay network, and wherein the client browser is prevented, by the processing node, from accessing the domain without the associated authorization data comprising the associate token and without a communication address associated with the data request matching the communication address associated with the associate token, wherein the associated authorization data determines eligibility of the client browser to complete an action associated with the domain, and wherein the distributed security system is configured to detect and preclude security threats comprising malware, spyware, and other undesirable content sent from or requested by the client browser or the domain.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The software of claim 9, wherein the communication address is a port address.
  - 11. The software of claim 9, wherein the request is an http request.
  - 12. The software of claim 9, wherein the associated authorization data is received in the form of an http cookie.
  - 13. The software of claim 9, wherein the authorized user data is based on authentication data.

14. A software stored in a non-transitory computer readable storage medium and comprising instructions executable by a data processing system and upon such execution cause the data processing system to perform operations comprising:
- receiving a request for a domain and associated authorization data from a client browser, the client browser associated with a request communication address, wherein the client browser communicates the request to the data processing system and not directly to the domain, wherein the data processing system is part of a distributed security system located external from the client browser and external from the domain configured to monitor communications associated with the client browser in an overlay network, wherein the distributed security system is configured to detect and preclude security threats comprising malware, spyware, and other undesirable content sent from or requested by the client browser or the domain;
  
  preventing the request if the associated authorization data fails to include an associate token;
  
  identifying the request communication address associated with the client browser;
  
  decrypting the associated authorization data into authorized user data and a source communication address from the associate token, wherein the client browser received the associated authorization data encrypted with source communication address based on communicating with the data processing system via the source communication address, thereby preventing intercepting of the associated authorization data by an unauthorized client, wherein the decrypting uses a public key that is generated at a processing node;
  
  determining whether the request communication address is the same as the source communication address in the associate token; and
  
  if the request communication address is the same as the source communication address, allowing the request comprising processing the request to the domain; and
  
  if the request communication address is not the same as the source communication address, requesting user authorization from the client browser at the request communication address;
  
  wherein the client browser is prevented, by the data processing system, from accessing the domain without the associated authorization data, wherein the associated authorization data determines eligibility of the client browser to complete an action associated with the domain.

15. A network security system, comprising:
- a plurality of communication device nodes external to network edges of an external system, each node comprising;
  
  a source processor configured to receive at a processing node a first request for a first domain from a first client browser, the first client browser associated with a first communication address;
  
  wherein the source processor is configured to;
  
  identify a first authorized user data associated with the first request;
  
  identify at the processing node the first communication address associated with the first client browser;
  
  associate at the processing node a first communication address of the first client browser with the first authorized user data;
  
  encrypt at the processing node the first authorized user data and the first communication address to generate a first associated authorization data comprising an associate token, wherein the first communication address includes a port address used by the first client browser to communicate with the processing node, thereby preventing intercepting of the first associated authorization data by an unauthorized client, wherein the encrypting uses a private key that is generated at the processing node;
  
  provide the first associated authorization data to the first client browser at the first communication address; and
  
  process the data request at the processing node for the first domain from the first client browser using the first associated authorization data responsive to a presence of the associate token in the data request and a communication address of the data request matching the first communication address associated with the associate token, wherein the data request is provided to the processing node and not directly to the first domain;
  
  wherein the processing node is part of the network security system located external from the first client browser and the first domain configured to monitor communications associated with the first client browser in an overlay network, and wherein the client browser is prevented, by the processing node, from accessing the first domain without the first associated authorization data, wherein the first associated authorization data determines eligibility of the client browser to complete an action associated with the first domain, wherein the network security system is configured to detect and preclude security threats comprising malware, spyware, and other undesirable content sent from or requested by the first client browser or the first domain.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, the source processor further configured to:
    - receives a second request for a second domain and second associated authorization data from a second client browser, the second client browser associated with a second communication address;
      
      identify a second communication address associated with the second client browser;
      
      decrypts the second associated authorization data into second authorized user data and the second communication address;
      
      determine whether the second communication address is the same as the first communication address;
      
      if the second communication address is the same as the first communication address, allow the second request;
      
      if the second communication address is not the same as the first communication address, request user authorization from the second client browser at the second communication address.
  - 17. The system of claim 16, wherein the first domain and the second domain are the same domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Kailash, Kailash, Nanjundaswamy, Shashidhara Mysore, Mullick, Amarnath, Raphel, Jose
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Le, Canh

Application Number

US12/179,492
Publication Number

US 20100024014A1
Time in Patent Office

2,896 Days
Field of Search

726/6
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 9/3213   using tickets or tokens, e....

HTTP authentication and authorization management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

HTTP authentication and authorization management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links