System and method for single sign-on session management without central server
First Claim
Patent Images
1. A computer-implemented method for single sign-on session management, the method comprising:
- receiving by a first plug-in module residing on a first processor controlled web server, a request to grant a client browser access to a protected resource accessible from the first processor controlled web server, the request comprising a session credential associated with a decryption key, the session credential including at least a session start timestamp and a maximum session idle time for a session initiated prior to the request and in response to authentication of the customer browser at a second plug-in module of another web server for access to another of the protected resources;
decrypting the session credential using the decryption key and checking for validity of the session credential with the first plug-in module;
granting the request if the session credential is validated and updating a time value of the session credential; and
when the session credential is not validated, establishing a new session credential at the plug-in module located on the first processor controlled web server,wherein each of the first plug-in module and the second plug-in module are configured to establish and validate session credentials independently without redirecting the customer browser to a central sign-on server.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for single sign-on session management. Functions of session management and client log-in, normally handled by separate system servers, are incorporated as plug-in modules on individual web content servers. In this manner, network traffic to grant and validate client user credentials is reduced or minimized.
24 Citations
14 Claims
-
1. A computer-implemented method for single sign-on session management, the method comprising:
-
receiving by a first plug-in module residing on a first processor controlled web server, a request to grant a client browser access to a protected resource accessible from the first processor controlled web server, the request comprising a session credential associated with a decryption key, the session credential including at least a session start timestamp and a maximum session idle time for a session initiated prior to the request and in response to authentication of the customer browser at a second plug-in module of another web server for access to another of the protected resources; decrypting the session credential using the decryption key and checking for validity of the session credential with the first plug-in module; granting the request if the session credential is validated and updating a time value of the session credential; and when the session credential is not validated, establishing a new session credential at the plug-in module located on the first processor controlled web server, wherein each of the first plug-in module and the second plug-in module are configured to establish and validate session credentials independently without redirecting the customer browser to a central sign-on server. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented system for single sign-on session management, the system comprising:
-
multiple protected web resources; at least a first and a second plug-in modules residing between the multiple protected web resources and a client browser, each of the first and the second plug-in modules residing on a corresponding first and second processor controlled servers, and the first and the second plug-in modules further configured to; receive, at the first plug-in module residing on the first processor controlled server, a first request to grant the client browser access to a first protected resource; receive, at the first plug-in module, credentials of the client browser; determine, at the first plug-in module, whether the client browser is authenticated and authorized; grant the first request and initiate creation of session credentials if the client browser is authenticated and authorized at the first plug-in module; provide the client browser with a cryptographically generated cookie including the session credentials; receive, at the second plug-in module residing on the second processor controlled server, a second request from the client browser for a second resource from the multiple protected resources, the second request including the cryptographically generated cookie; decrypt the cryptographically generated cookie using a key and checking for validity of the cookie; grant access to the second resource if the cookie is valid and update a time value of the session credential to be included in a new cryptographically generated cookie for the client browser; and log the client browser in via the second plug-in module if the cookie is not valid, wherein each of the first plug-in module and the second plug-in module are configured to create and validate session credentials independently without redirecting the customer browser to a central sign-on server. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
Specification