Method and apparatus for single sign-off using cookie tracking in a proxy

US 9,203,922 B2
Filed: 05/25/2010
Issued: 12/01/2015
Est. Priority Date: 05/25/2010
Status: Active Grant

First Claim

Patent Images

1. A method, operative at an intermediary between a client browser and one or more backend applications during an existing authenticated session with a user operating the client browser, the method comprising:

responsive to forwarding a request to a backend application during the existing authenticated session, receiving a response that includes a cookie;

tracking the cookie by storing information about the cookie in a per-user session cache object associated with the existing authenticated session;

forwarding the cookie to the client browser;

responsive to receiving a log out of the existing authenticated session, making a determination whether to expire the cookie tracked in the per-user session cache object; and

based on the determination, expiring the cookie tracked in the per-user session cache object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intermediary (such as a web reverse proxy), which is located between a web browser and one or more backend applications, manages cookies that are provided by the backend applications and returned to the web browser during a user session. When a session sign-off event is initiated in the reverse proxy, HTTP “Set-Cookie” headers are sent back to the web browser to destroy the cookies (in the browser) that represent sessions with the one or more backend application(s).

11 Citations

View as Search Results

24 Claims

1. A method, operative at an intermediary between a client browser and one or more backend applications during an existing authenticated session with a user operating the client browser, the method comprising:
- responsive to forwarding a request to a backend application during the existing authenticated session, receiving a response that includes a cookie;
  
  tracking the cookie by storing information about the cookie in a per-user session cache object associated with the existing authenticated session;
  
  forwarding the cookie to the client browser;
  
  responsive to receiving a log out of the existing authenticated session, making a determination whether to expire the cookie tracked in the per-user session cache object; and
  
  based on the determination, expiring the cookie tracked in the per-user session cache object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 wherein the cookie tracked in the per-user session cache object is expired by sending a response to the log out, the response including a set cookie header with a past expiry.
  - 3. The method as described in claim 1 wherein the cookie tracked in the per-user session cache is expired by sending a response to the log out, the response including an expiry header.
  - 4. The method as described in claim 1 further including deleting information associated with the cookie from the per-user session cache object.
  - 5. The method as described in claim 1 wherein the intermediary is a web reverse proxy and the response from the backend application is an HTTP response.
  - 6. The method as described in claim 5 wherein the HTTP response includes a set-cookie HTTP header that includes the cookie.
  - 7. The method as described in claim 1 further including determining, upon receipt of the log out, whether the cookie is to be expired.
  - 8. The method as described in claim 7 wherein the determination is made by determining whether the cookie matches a list of cookies identified in a configuration.

9. Apparatus positioned between a client browser and one or more backend applications, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method during an existing authenticated session with a user operating the client browser, the method comprising;
  
  responsive to forwarding a request to a backend application during the existing authenticated session, receiving a response that includes a cookie;
  
  tracking the cookie by storing information about the cookie in a per-user session cache object associated with the existing authenticated session;
  
  forwarding the cookie to the client browser;
  
  responsive to receiving a log out of the existing authenticated session, making a determination whether to expire the cookie tracked in the per-user session cache object; and
  
  based on the determination, expiring the cookie stored in the per-user session cache object.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. Apparatus as described in claim 9 wherein the cookie tracked in the per-user session cache object is expired by sending a response to the log out, the response including a set cookie header with a past expiry.
  - 11. The apparatus as described in claim 9 wherein the cookie tracked in the per-user session cache is expired by sending a response to the log out, the response including an expiry header.
  - 12. The apparatus as described in claim 9 wherein the method further includes deleting information about the cookie from the per-user session cache object.
  - 13. The apparatus as described in claim 9 wherein the response from the backend application is an HTTP response.
  - 14. The apparatus as described in claim 13 wherein the HTTP response includes a set-cookie HTTP header that includes the cookie.
  - 15. The apparatus as described in claim 9 wherein the method further includes determining, upon receipt of the log out, whether the cookie is to be expired.

16. A computer program product in a non-transitory computer readable medium for use in a data processing system positioned between a client browser and one or more backend applications, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method during an existing authenticated session with a user operating the client browser, the method comprising:
- responsive to forwarding a request to a backend application during the existing authenticated session, receiving a response that includes a cookie;
  
  tracking the cookie by storing information about the cookie in a per-user session cache object associated with the existing authenticated session;
  
  forwarding the cookie to the client browser; and
  
  responsive to receiving a log out of the existing authenticated session, making a determination whether to expire the cookie tracked in the per-user session cache object; and
  
  based on the determination, expiring the cookie stored in the per-user session cache object.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The computer program product as described in claim 16 wherein the cookie tracked in the per-user session cache object is expired by sending a response to the log out, the response including a set cookie header with a past expiry.
  - 18. The computer program product as described in claim 16 wherein the cookie tracked in the per-user session cache is expired by sending a response to the log out, the response including an expiry header.
  - 19. The computer program product as described in claim 16 wherein the method further includes deleting information about the cookie from the per-user session cache object.
  - 20. The computer program product as described in claim 16 wherein the response from the backend application is an HTTP response.
  - 21. The computer program product as described in claim 20 wherein the HTTP response includes a set-cookie HTTP header that includes the cookie.
  - 22. The computer program product as described in claim 16 wherein the method further includes determining, upon receipt of the log out, whether the cookie is to be expired.
  - 23. The computer program product as described in claim 16, wherein the computer program instructions are stored in the computer readable medium in the data processing system, wherein the computer program instructions were downloaded over a network from a remote data processing system.
  - 24. The computer program product as described in claim 16, wherein the computer program instructions are stored in the computer readable medium in the data processing system, wherein the computer program instructions are downloaded over a network to a remote data processing system for use in a computer readable medium with the remote system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Canning, Simon Gilbert, Exton, Scott Anthony, Readshaw, Neil Ian
Primary Examiner(s)
Donabed, Ninos

Application Number

US12/786,616
Publication Number

US 20110296036A1
Time in Patent Office

2,016 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 67/142   Managing session states for...

H04L 67/2895   Intermediate processing fun...

H04L 67/564   Enhancement of application ...

H04L 67/568   Storing data temporarily at...

Method and apparatus for single sign-off using cookie tracking in a proxy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for single sign-off using cookie tracking in a proxy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links