Many businesses have embraced the Internet as a way to reduce expenses and advertise their services or products to a wide consumer base. These businesses (i.e. web merchants) have setup online shopping web sites to sell soft goods, such as information or software, and/or hard goods. This benefits many consumers (i.e. web clients) who increasingly use the Internet because of the ease with which they can shop online. In fact, online transactions between web merchants and web clients are becoming increasingly more numerous.
Although e-commerce is convenient, it is not problem free since communication between a web client's web browser and an e-commerce web site is based on HTTP (HyperText Transfer Protocol). HTTP is stateless which means that the HTTP protocol does not maintain information about a web client from one visit to the next. As a result, the e-commerce web site must take steps to remember a web client who revisits at a later date. Another problem is that HTTP is not secure which is troublesome since a web client must provide sensitive information, such as a credit card number or an account number, in order to pay for and receive products. An unauthorized user may be watching the HTTP communication to steal this sensitive information. The unauthorized user could then order goods under the web client's identity and request that the goods be sent to a different address or access sensitive web client data such as address and credit card information.
To correct these problems, an e-commerce web site must allow for authentication and session management while holding a conversation with a web client. Further, a secure communication protocol must be used when sensitive information is transmitted between the web client and the e-commerce web site. Session management allows a web site to remember a web client between different login sessions whereas authentication is a security measure which assures a web site that a request came from the same web client who originally logged onto the web site. A secure communication protocol encrypts the data transmitted between the e-commerce web site and a web client. To accomplish authentication and session management, one may utilize HTTP Basic Authentication, Name-Value Pair Authentication or session cookies.
HTTP Basic Authentication always requires a web client to logon before session management. To this end, a login window will pop open when the web client first accesses the web site. This login window is not easily customizable by the web site administrator. Thus, there is no support for guest client access of secure web pages because the web server forces the web client to log on. Consequently, most e-commerce web sites do not use HTTP Basic Authentication.
Name-Value Pair Authentication involves embedding security information in every URL (Uniform Resource Locator) or in the data in every web page on the e-commerce web site. Consequently, the web site developers need to handle authentication for each web page by passing authorization data from one web page to another. This authorization data may be easily lost when the web client jumps from a secure web page to a non-secure web page. Name-value pairs also do not support guest client access of secure web pages because the web server forces the web client to register or log on when accessing a secure web page. The authorization data is also not secure if it is appended to the web page URL since it may be exposed in the web server's log or shown on the web client's web browser. In addition, authorization data included in web page data is not secure since it may be seen by viewing the web browser cache files.
Cookies are the most popular method for session management and authentication between a web site and a web client. Cookies are stored and retrieved on the web client's computer. Permanent cookies are stored on the computer's hard drive meanwhile temporary cookies are stored in volatile memory and erased once the web session is finished. The Netscape Navigator™ web browser stores permanent cookies in a text file (i.e. cookie.txt) with one line in the file being used per cookie, whereas the Microsoft Internet Explorer™ web browser uses a separate text file for each permanent cookie. Cookies are designed to provide useful information about the web client to the web server such as which web pages the web client last accessed. Cookies can also be used to provide some pre-determined level of web client access and customization at a web site. The cookie also contains a description of the set of URLs for which the cookie is valid. Any future HTTP requests made by the web client, which coincide with the set of URLs contained in a cookie, will include a transmittal of the cookie's current value from the web client back to the web server.
The first time that a web client requests information from a web server, that makes use of cookies, the web server delivers the requested information along with a cookie. The cookie is sent, from the web server to the web client, by including a Set-Cookie header as part of an HTTP response. The Set-Cookie header is generated by a CGI script and contains the following attributes: NAME, DATE, PATH, DOMAIN and SECURE. The NAME attribute contains web client related data which is used by the web site. There can be many NAME attributes in a cookie and many Set-Cookie headers can be issued in a single web server response. The DATE attribute specifies a date which indicates when the cookie will expire. The PATH attribute specifies the subset of URLs in a domain for which the cookie is valid. The DOMAIN attribute is the internet domain name of the web site. The SECURE attribute indicates the conditions under which the cookie is transmitted. For instance, if the cookie's SECURE attribute is marked as secure then it will only be transmitted if the communication channel between the web server and the web client is secure.
Cookie based session management must incorporate a secure communication protocol to prevent unauthorized users from stealing sensitive data contained in the cookie. One such protocol is HTTPS (HTTP over SSL). The acronym SSL stands for Secure Socket Layer protocol which is an industry standard for transmitting information securely while using HTTP. HTTPS includes provisions for web server authentication (verifying the web server's identity to the web client), data encryption and web client authentication (verifying the web client's identity to the web server). Each HTTPS enabled web server is installed with both a coder and a decoder which utilize keys and data encryption that are unique. The data encryption, which converts words and numbers into a series of alpha-numeric characters, can only be unlocked by the decoder that comes with the web server licensed to the web merchant. The level of security depends on whether a 40 or 128 bit key is used. The difficulty in cracking the code (or the key) increases with the number of bits contained in the key. Cookie-based session management and authentication schemes have been described in the prior art.
U.S. Pat. No. 5,875,296 discloses a method for providing secure access to a distributed file system via a web site. The method utilizes a single cookie containing a user identifier to access files in the distributed file system. This cookie allows the user to avoid having to re-enter a user ID and password every time information on the distributed file system is accessed. This method is also specific to a distributed file system and does not use a secure communication protocol.
U.S. Pat. No. 6,047,268 discloses a system and method for authenticating web clients who make online purchases. Authentication is provided by a single cookie that contains a static portion identifying the web client's account number and an encrypted dynamic portion which identifies the last transaction made by the web client. This cookie is updated after each new transaction with a new dynamic portion, however, this patent discloses using sensitive information in the cookie and permanent cookie storage on the web client's computer system. In addition, the e-commerce method disclosed in this patent is not flexible enough to allow guest clients to perform online shopping; all web clients must register in order to shop online. U.S. Pat. No. 6,047,268 does disclose the use of HTTPS but does not state if HTTPS is used exclusively or whether the communication protocol switches between HTTPS and HTTP.
U.S. Pat. No. 6,076,069 discloses a system and method for redeeming electronic coupons. When a web client visits a web site, which advertises promotional material from a web merchant, a coupon is stored on the web client's computer system in the form of a cookie. If the web client later visits the web merchant's web site, the web site will recognize the electronic coupon stored in the cookie and offer a discount to the web client. This patent does not teach the use of a secure communication protocol. Furthermore, this patent discloses using sensitive information in the cookies, such as the web client's account number, and the use of persistent cookies (i.e. the cookies are stored permanently on the web client's computer system). Both of these features raise security issues.
The exclusive use of HTTPS entails a performance degradation because of the encoding and decoding which is done each time a web page is accessed. This is inefficient since many web pages, such as product catalog web pages which incidentally obtain the most visits from web clients, do not require protection. In addition, using HTTPS for the web site home page URL can be inconvenient for a web client since the web client is not accustomed to using ‘https’ in place of ‘http’ in a web site's URL. Furthermore, switching between HTTP and HTTPS can be troublesome because currently when a web client logs onto a web site using HTTPS, a cookie is issued to authenticate the web client, however, if the web client later browses a non-secure web page at the web site using HTTP, the same cookie is sent to the web client in clear text. At this point an unauthorized user can steal the cookie. Thus, using a single cookie under these circumstances jeopardizes the security of the web site.
Accordingly, there is a need for an improved secure session management and authentication method, using cookies, to protect both the web site and the web client from unauthorized users. The present invention addresses these needs.