Atomic session-start operation combining clear-text and encrypted sessions to provide id visibility to middleware such as load-balancers
First Claim
1. A server farm for assigning both clear-text and encrypted-session requests from a client to an assigned server, the server farm comprising:
- a plurality of servers that includes the assigned server, the plurality of servers for sending web pages to clients, the web pages including clear-text web pages that are transmitted as non-encrypted clear-text data and web pages that are transmitted as encrypted data;
a load-balancer, receiving requests from clients, for distributing the requests to the plurality of servers, the load-balancer determining the assigned server in the plurality of servers by;
parsing a clear-text request for a server-assignment cookie, the server-assignment cookie indicating which server in the plurality of servers has previously been assigned to respond to requests from the client that generated the request;
or matching an encrypted-session identifier contained in the request for an encrypted page to an encrypted-session identifier table-entry identifying which server in the plurality of servers has previously been assigned to respond to an encrypted-session request from the client that generated the request; and
a network connection for connecting the load-balancer to receive the requests from the clients, and for sending responses from the plurality of servers to the clients;
wherein a server in the plurality of servers further comprises;
means for executing an atomic server-assignment operation, the atomic server-assignment operation generating the server-assignment cookie indicating that the server is assigned to receive requests from a client, atomic server-assignment operation generating the encrypted-session identifier used by the load-balancer to identify the server; and
atomic transmit means, receiving the server-assignment cookie and the encrypted-session identifier from the atomic server-assignment operation, for transmitting the encrypted-session identifier and the server-assignment cookie to the client through the network connection;
wherein the client stores the server-assignment cookie and stores the encrypted-session identifier, the client sending the server-assignment cookie but not the encrypted-session identifier with each clear-text request to the server farm, the client sending the encrypted-session identifier with each encrypted-session request to the server farm;
wherein the atomic server-assignment operation is initiated by a reference to an encrypted component on a clear-text web page, the encrypted component generating an encrypted-session request from the client that contains no encrypted-session identifier;
wherein a web browser that generates a warning message when a clear-text web page is referenced from an encrypted-session web page does not generate the warning message when the encrypted component is referenced, whereby load balancing among the plurality of servers is determined by the server-assignment cookie for clear-text requests, and determined by the encrypted-session identifier for encrypted-session requests and whereby the atomic server-assignment operation sets a server assignment for both clear-text requests and encrypted-session requests and whereby the warning message from the web browser is avoided when an encrypted session begins.
6 Assignments
0 Petitions
Accused Products
Abstract
A load-balancer assigns incoming requests to servers at a server farm. An atomic operation assigns both un-encrypted clear-text requests and encrypted requests from a client to the same server at the server farm. An encrypted session is started early by the atomic operation, before encryption is required. The atomic operation is initiated by a special, automatically loaded component on a web page. This component is referenced by code requiring that an encrypted session be used to retrieve the component. Keys and certificates are exchanged between a server and the client to establish the encrypted session. The server generates a secure-sockets-layer (SSL) session ID for the encrypted session. The server also generates a server-assignment cookie that identifies the server at the server farm. The server-assignment cookie is encrypted and sent to the client along with the SSL session ID. The Client decrypts the server-assignment cookie and stores it along with the SSL session ID. The load-balancer stores the SSL session ID along with a server assignment that identifies the server that generated the SSL session ID. When other encrypted requests are generated by the client to the server farm, they include the SSL session ID. The load-balancer uses the SSL session ID to send the requests to the assigned server. When the client sends a non-encrypted clear-text request to the server farm, it includes the decrypted server-assignment cookie. The load balancer parses the clear-text request to find the server-assignment cookie. The load-balancer then sends the request to the assigned server.
359 Citations
13 Claims
-
1. A server farm for assigning both clear-text and encrypted-session requests from a client to an assigned server, the server farm comprising:
-
a plurality of servers that includes the assigned server, the plurality of servers for sending web pages to clients, the web pages including clear-text web pages that are transmitted as non-encrypted clear-text data and web pages that are transmitted as encrypted data;
a load-balancer, receiving requests from clients, for distributing the requests to the plurality of servers, the load-balancer determining the assigned server in the plurality of servers by;
parsing a clear-text request for a server-assignment cookie, the server-assignment cookie indicating which server in the plurality of servers has previously been assigned to respond to requests from the client that generated the request;
ormatching an encrypted-session identifier contained in the request for an encrypted page to an encrypted-session identifier table-entry identifying which server in the plurality of servers has previously been assigned to respond to an encrypted-session request from the client that generated the request; and
a network connection for connecting the load-balancer to receive the requests from the clients, and for sending responses from the plurality of servers to the clients;
wherein a server in the plurality of servers further comprises;
means for executing an atomic server-assignment operation, the atomic server-assignment operation generating the server-assignment cookie indicating that the server is assigned to receive requests from a client, atomic server-assignment operation generating the encrypted-session identifier used by the load-balancer to identify the server; and
atomic transmit means, receiving the server-assignment cookie and the encrypted-session identifier from the atomic server-assignment operation, for transmitting the encrypted-session identifier and the server-assignment cookie to the client through the network connection;
wherein the client stores the server-assignment cookie and stores the encrypted-session identifier, the client sending the server-assignment cookie but not the encrypted-session identifier with each clear-text request to the server farm, the client sending the encrypted-session identifier with each encrypted-session request to the server farm;
wherein the atomic server-assignment operation is initiated by a reference to an encrypted component on a clear-text web page, the encrypted component generating an encrypted-session request from the client that contains no encrypted-session identifier;
wherein a web browser that generates a warning message when a clear-text web page is referenced from an encrypted-session web page does not generate the warning message when the encrypted component is referenced, whereby load balancing among the plurality of servers is determined by the server-assignment cookie for clear-text requests, and determined by the encrypted-session identifier for encrypted-session requests and whereby the atomic server-assignment operation sets a server assignment for both clear-text requests and encrypted-session requests and whereby the warning message from the web browser is avoided when an encrypted session begins. - View Dependent Claims (2, 3, 4, 5, 6)
whereby the load-balancer can read the encrypted-session identifier but cannot read the server-assignment cookie for encrypted-session requests. -
3. The server farm of claim 2 wherein after the atomic server-assignment operation, the encrypted-session request from the client contains the server-assignment cookie that is encrypted and not readable by the load-balancer, the encrypted-session request containing the encrypted-session identifier that is readable by the load-balancer.
-
4. The server farm of claim 1 wherein the encrypted component is an image file that is not visible to a user.
-
5. The server farm of claim 1 wherein the encrypted component contains public, non-confidential information that otherwise does not require encryption,
whereby the encrypted component is used to initiate the encrypted session before encryption is needed. -
6. The server farm of claim 1 wherein the load-balancer further comprises:
-
a session table having a plurality of entries, each entry containing a session identifier for an encrypted session and a server identifier that identifies an assigned server in the plurality of servers;
wherein the load-balancer compares an encrypted-session identifier for an incoming packet to the encrypted-session identifiers stored in the session table to find the server identifier indicating which servers is assigned to accept the incoming packet, whereby encrypted-session identifiers are stored in the session table in the load-balancer.
-
-
-
7. A method for load-balancing a web site, the method comprising:
-
receiving a clear-text request from a client for viewing a web page;
assigning the clear-text request from the client to a first server in a plurality of servers at the web site;
sending requested web page from the first server to the client using a clear-text connection;
before the client requests a web page that changes a state stored on the client, performing an atomic server-assignment operation by;
assigning an initial encrypted-session request from the client to an assigned server;
initiating an encrypted connection between the client and the assigned server;
deriving an encrypted-session identifier from the encrypted connection and associating the encrypted-session identifier to the assigned server in a load balancer;
generating a server-assignment state indicator that identifies the assigned server;
sending the encrypted server-assignment state-indicator to the client using an encrypted connection;
storing the encrypted-session identifier and the server-assignment state indicator on the client;
after the atomic server-assignment operation is performed, the client sending a clear-text request to the web site that includes the server-assignment state-indicator but does not include the encrypted-session identifier;
after the atomic server-assignment operation is performed, the client sending a encrypted-session request to the web site that includes the encrypted-session identifier;
a load-balancer reading the server-assignment state-indicator from the clear-text request from the client, the load-balancer sending the clear-text request to the assigned server identified by the server-assignment state-indicator;
the load-balancer reading the encrypted-session identifier from the encrypted-session request from the client the load-balancer associating the encrypted-session identifier with the assigned server; and
the load-balancer sending the encrypted-session request to the assigned server;
wherein the step of initiating an encrypted connection further comprises exchanging encryption keys and certificates among the client and the assigned server;
wherein the load-balancer does not exchange the encryption keys and certificates directly with the client, the encryption keys being forwarded through the load-balancer, the load-balancer capturing the encrypted-session identifier;
whereby the atomic server-assignment operation assigns a server for both clear-text and encrypted-session requests subsequently sent from the client to the web site. - View Dependent Claims (8, 9, 10, 11, 12, 13)
wherein the clear-text requests include requests for viewing product-information web pages;
wherein the clear-text requests sent by the client after the atomic server-assignment operation is performed include item-select requests to add items for purchase to a customer-item list, wherein the encrypted-session requests sent by the client after the atomic server-assignment operation is performed include a checkout request to confirm payment for the items for purchase on the customer-item list, whereby clear-text requests to add items to the customer-item list are not encrypted.
-
-
9. The method of claim 8 wherein the customer-item list is stored on the assigned server but not stored on other servers or on a central database before the checkout request is received,
whereby the customer-item list is locally stored before checkout. -
10. The method of claim 9 wherein the item-select requests change the state stored on the client,
whereby the atomic server-assignment operation is performed before items are added to the customer-item list. -
11. The method of claim 10 wherein the atomic server-assignment operation is initiated by a reference to an encrypted component embedded on a product-information web page,
whereby the atomic server-assignment operation is initiated by browsing a product-information web page before items are added to the customer-item list. -
12. The method of claim 8 wherein the assigned server responds to the checkout request by sending a checkout web page which allows a user at the client to input credit-card information for payment.
-
13. The method of claim 8 wherein the encrypted-session identifier is a secure-sockets-layer (SSL) session ID contained in a non-encrypted portion of an encrypted connection.
Specification