1. Field of the Invention
This invention pertains in general to network security and in particular to providing selective access to web sites such as those conducting electronic commerce.
2. Description of the Related Art
The Internet relies on standard protocols and open systems. Consider, for example, the World Wide Web, where web sites are identified by uniform resource locators (URLs) in a standard format. Any client on the Internet can use a given site's URL to access the site.
In certain circumstances, however, the operators of a web site desire to limit the set of clients (and users of the clients) that can access their site. Further, in some cases the operators want to completely hide the site from unauthorized clients. For example, the site can exist as part of a beta test, and the operators might want to completely hide the site from clients that are not enrolled in the test. In another example, the site can be part of an electronic commerce system, and the operators might want to hide or limit site access to only clients entitled to use the system. It is difficult to hide or restrict a web site given the open access normally provided by the Internet.
One way to hide the existence of a web site is through obscurity. The site can be located at a URL unlikely to be discovered by unauthorized clients. The URL can be provided to the beta testers or other limited set of clients that are expected to access the site. Unfortunately, such URLs are often leaked to the public, making the site accessible to anyone who learns the URL. It is difficult to change the URL once it has leaked, because the new URL must be distributed to all of the authorized clients and any coded logic that makes use of the URL must also change.
One common way to restrict access to a web site is to establish access control at the site. The home page of the site can require that clients provide valid authentication credentials before allowing access to the remainder of the site. This solution, of course, exposes the existence of the site and is not ideal for situations where the site should remain hidden. Further, requiring authentication credentials interrupts the control flow for the site and is undesirable. In a beta test, the site operators would like to test the site using real world conditions, and forcing an authentication step can disrupt the test if the production version of the site does not have authentication. Similarly, the site operators might not want to force an authentication in the middle of an electronic commerce transaction. Additionally, there are situations where the site operators desire a hybrid approach that hides the existence of a site from unauthorized clients yet also requires authorized clients to present credentials.
Looking at the issue more generally, site operators sometimes desire to treat different clients differently, such as by exposing different feature sets to different clients, either with or without requiring the clients to present authentication credentials. These variations are difficult to implement due to the open nature of the Internet. Accordingly, there exists a need in the art for a way to hide and/or restrict access to web sites on the Internet that does not suffer from the deficiencies described above.