This invention generally relates to information retrieval over a network, and, more specifically, to a method, apparatus, and product for managing one or more sessions in a stateless network system.
Computer networks have become ubiquitous in business, industry, and education. In one approach, a network is configured with one or more user accounts, each of which is uniquely associated with a human network user or host computer. The network also has one or more resources, such as application programs that provide various computing functions, which are available to all users. In this approach, a user logs into his or her user account, selects a desired application. A disadvantage of this approach is that every user has the same rights to access any of the network resources.
Development of the globally accessible, packet-switched network known as the Internet has enabled network resources, accounts and applications to become available worldwide. Development of hypertext protocols that implement the World Wide Web (xe2x80x9cThe Webxe2x80x9d) is enabling networks to serve as a platform for global electronic commerce. In particular, the Web is enabling the easy exchange of information between businesses and their customers, suppliers and partners.
Businesses are rushing to publish information on the Web and just as quickly stumbling into several roadblocks. For example, some information is valuable and sensitive, and needs to be made available only to selected users. Thus, there is a need to provide selective access to network resources and information over the Web.
This need exists in the context of internal Web networks that are available to employees of an organization, called Intranets, as well as Web networks and resources that are available to external customers, suppliers and partners of the organization, called extranets. Extranet users may require information from a large number of diverse sources, for example, product catalogs, customer databases, or inventory systems. There may be millions of potential users, the number of which grows dramatically as an organization prospers. Thus, there is a need for a large-scale system that can provide selective access to a large number of information sources for a large number of users.
Because some of the information sources are sensitive, there is a need to provide secure access to the information. Current networks and Web systems, including Intranets and extranets, are expensive and complex to implement. These technologies also change rapidly. There is a need for any information access method or system to integrate with and use existing equipment, software and systems. There is also a need for method and system that is flexible or adaptable to changing technologies and standards.
One approach to some of the foregoing problems and needs has been to provide each network resource or application program with a separate access control list. The access control list identifies users or hosts that are authorized to access a particular application. As new users or hosts are added to the network, the access control lists grow, making security management more complicated and difficult. Use of a large number of separate lists also makes the user experience tedious and unsatisfactory.
Another disadvantage of the foregoing approaches is duplication of management processes. To add new users to the system, a network administrator must repeat similar access processes for each application or resource to be made available to the new users. The redundancy of these processes, combined with rapid growth in the number of users, can make the cost of deploying, managing and supporting a system unacceptably high.
Thus, there is a need for a mechanism to govern access to one or more information resources in which selective access is given to particular users.
There is also a need for such a mechanism that is equally adaptable to an internal network environment and to an external network environment. There is a further need for such a mechanism that is easy to configure and re-configure as new users and resources become part of the system. There is still another need for such a mechanism that is simple to administer.
A related approach is described in prior application Ser. No. 09/113,609, filed Jul. 10, 1998, now U.S. Pat. No. 6,182,142 entitled xe2x80x9cControlling Access to Protected Information Resources,xe2x80x9d and naming Teresa Win and Emilio Belmonte as inventors. In an embodiment of the system described in such prior application, a client process interacts with one or more server processes to obtain authorization to access protected resources. These interactions generally occur during one or more HTTP sessions that are established between the client and the server.
One problem of this configuration is how to store and manage information about the sessions. Since HTTP is a stateless protocol, it does not inherently have a mechanism for keeping track of information from session to session. A prior approach to this problem involves creating, storing, and accessing locally stored files called xe2x80x9ccookies.xe2x80x9d A cookie is a text file, created and stored at the client, that contains information that identifies a particular session. In one embodiment of the system described in the above-referenced prior application, a cookie is created and stored by a browser each time the browser accesses and interacts with an authentication server.
Each cookie includes an expiration time value. If the client attempts to access a protected resource after the time represented by the expiration time value, the client must re-authenticate itself with the authentication server.
Although this approach provides a modicum of security, it is subject to attack. For example, a cookie can be copied and moved to another computer without authorization.
One workaround is to create cookies that have an expiration time of xe2x80x9c0.xe2x80x9d Such cookies never expire, and are stored only in volatile memory at the client. Thus, security is improved. However, this approach is impractical, because it prevents the administrator of the system from limiting the amount of time after which a user is required to undergo authentication. Potentially, the user could be logged in and authenticated for an indefinite and perhaps unlimited period of time. Further, if the authenticated user leaves his or her workstation unattended, the user remains logged in, and an interloper could access the system without authorization.
Based on the foregoing, there is a clear need in this field for an improved way to manage client-server sessions in networks that use stateless protocols.
The foregoing needs, and other needs and objectives that will become apparent from the description herein, are achieved by the present invention, which comprises, in one aspect, a method of managing sessions in a stateless network system that includes a plurality of first servers each controlling access by one of a plurality of clients to resources of a plurality of second servers. In one embodiment, the method involves creating a session manager that is bound to the first server. One of the first servers receives a request of the client to obtain one of the resources of one of the second servers. The session manager determines from information stored therein whether the client is part of an authenticated session with any of the first servers. The session manager grants the client access to the resource only when the information in the session manager indicates that the client is part of an authenticated session.
In one feature, the determining step involves determining, at the session manager from information stored therein and based on a session identifier that is generated by the first server and provided to the session manager, whether the session identifier is valid; and granting the client access to the resource only when the session identifier indicates that the client is part of a valid session.
In another feature, the determining step involves determining, at the session manager from information stored therein and based on a session identifier that is generated by the first server and provided to the session manager, whether the session identifier is valid; determining, at the session manager, whether the client has failed to contact any of the first servers within a predetermined period of time; and granting the client access to the resource only when the session identifier indicates that the client is part of a valid session and the client has contacted at least one of the first servers within the pre-determined period of time.
Another feature relates to determining, at the session manager from information stored therein and based on a session identifier that is generated by the first server and provided to the session manager, whether the session identifier is valid; determining, at the session manager, whether the session identifier has been revoked; and granting the client access to the resource only when the session identifier indicates that the client is part of a valid, un-revoked session.
In another feature, the method includes creating and storing a plurality of session managers, each session manager being associated with at least one of the first servers, each session manager having a locally stored set of session information defining one or more valid sessions between the clients and the second servers; and synchronizing the session information of each of the session managers with the session information of all other session managers.
In still another feature, the method involves creating and storing a plurality of session managers, each session manager being associated with at least one of the first servers, each session manager having a locally stored set of session information defining one or more valid sessions between the clients and the second servers; when one of the session managers is created: receiving, at that session manager, a list of all other session managers that are online; synchronizing the session information of that session manager with each other session manager in the list; and storing information in that session manager indicating that it is online.
Yet another feature includes creating and storing, in association with each of the first servers, a monitoring element that monitors whether each of the first servers is bound to its associated session manager.
Yet another feature involves creating and storing a topology management element that communicates with all of the first servers and all of the session managers and determines whether each first server is bound to an associated session manager.
Still another feature includes the steps of creating and storing a topology management element that communicates with all of the first servers and all of the session managers and determines whether each first server is bound to an associated session manager; registering one of the first servers with one of the session managers by creating and storing, in association with each of the first servers, a monitoring element that monitors whether each of the first servers is bound to its associated session manager; registering each of the session managers with the topology management element.
According to another feature, the method includes creating and storing, in association with each of the first servers, a topology management element that monitors whether one of the first servers is bound to a first session manager; using the topology management element, detecting a failure of the first session manager; at the first server, binding the one of the first servers to a second session manager; monitoring, with the topology management element, whether the first server is bound to the second session manager.
In another feature, the method involves creating and storing, in association with each of the first servers, a topology management element that monitors whether one of the first servers is bound to a first session manager; using a first interceptor that is bound to the topology management element, detecting a failure of the first session manager, and in response thereto, deactivating the first session manager; using a second interceptor that is bound to the first server, detecting a failure of the first session manager, and in response thereto, at the first server, binding the one of the first servers to a second session manager; monitoring, with a third interceptor that is bound to the second session manager, whether the first server is bound to the second session manager.
In one embodiment, a user logs in to a system having protected resources. User login may occur when a user goes directly to an Access Server or because the user accesses a resource in a Protected server before login and a Runtime redirects the user to the Access Server. The Access Server authenticates the user. The Access Server communicates with an authentication mechanism that creates a session for that user in the Session Manager. The session is replicated to all other Session Managers. The User requests a resource in a Protected Server that has a Runtime. The Protected Server sends the user""s session to the Session Manager for verification. As a result, multiple sessions are managed and controlled.