1. Technical Field
The present invention relates generally to client-server Web-based transaction processing and, in particular, to authenticating users to access applications running on a Web server.
2. Description of the Related Art
The World Wide Web (WWW) of the Internet is the most successful distributed application in the history of computing. A conventional Web transaction involves a xe2x80x9cclient,xe2x80x9d which runs a browser, and a xe2x80x9cserver.xe2x80x9d In response to specification of a link at the browser, the client makes a request to the server identified in the link and, in return, receives a document or other object formatted according to HTML.
The Web server is usually a standalone file server that services various Web document requests. Because the server is self-contained, Web site administration typically is cumbersome because access control must be individualized for each device. Moreover, private and public enterprises are now setting up so-called xe2x80x9cIntranetsxe2x80x9d within their organizations to allow employees and customers to access data on their own corporate Web sites. Such organizations use multiple computers interconnected into a distributed computing environment in which users access distributed resources and process applications. Such architectures complicate the administration function.
An administration interface that runs on the Web server, for example, the Lightweight Directory Access Protocol (LDAP) GUI CGI, needs a mechanism to obtain a user name and password from a user at a Web browser to authenticate the user for administrative or directory tasks. In particular, the administration interface needs to associate this userid and password combination at the user""s Web browser without forcing the user to login for each transaction. In the prior art, it is known to provide an administration interface of this type using a server plug-in to authenticate the Web browser user and thereby enable Web-based access to secure documents. In this technique, which is described in copending application Ser. No. 08/790,041, titled xe2x80x9cDistributed File System Web Server User Authentication With Cookiesxe2x80x9d assigned to the assignee of this application, a cookie is used to represent an client authentication token. This approach assumes that cookies are supported by the browser; thus, the scheme does not account for the situation where a cookie value is not set by the client. Moreover, such known server-based schemes rely on the HTTP 401 authentication method. An authentication plug-in written for a specific Web server to support HTTP 401 cannot be ported across different Web servers. Moreover, HTTP 401 authentication requires users to shutdown all instances of their Web browser before logoff from the Web-based application.
There remains a need in the art to provide Web server user authentication that overcomes these and other problems associated with the prior art.
It is an object of the present invention to provide an architecture for the dynamic use and validation of HTTP cookies for authentication by an application running on a web server.
A more specific object of this invention is to provide an automatic check to determine if a cookie is set on a web browser. In particular, the inventive mechanism advantageously uses a refresh object or page to allow a Web server GUI to automatically determine if the cookie has been set.
Another more specific object of this invention is to provide in-depth validation of a cookie value. The validation process preferably encompasses encryption, encoding, decoding, and decryption, as well as additional validation mechanisms to ensure that the cookie is valid for the user.
It is a still another object of this invention to provide a mechanism that ensures that an authentication token is set on a client web browser prior to the user""s accessing of an action menu.
It is still another object of this invention to ensure that a first user logs off from a web server completely so that a subsequent user cannot use the first user""s userid and password to access protected documents or services.
Still another object of this invention is to provide cookie-based user authentication and thereby allow Web applications to be Web server neutral. As a by-product, the present invention obviates Web server-specific authentication plug-ins.
Another important object of the present invention is to provide an algorithm for constructing a cookie value using an encryption and encoding scheme. The cookie value is then validated using a corresponding decoding and decrypting scheme.
These and other objects of the invention are provided in a method of authenticating a Web browser user to a given Web server application, such as a directory service GUI interface. In a preferred embodiment, a method of enabling the Web browser user to interact with the given application running on a Web server begins by constructing and returning a cookie to the Web browser upon a given occurrence, e.g., user login to the application. Without additional user input, the routine then forces the Web browser to check with the Web server that the cookie was set on the Web browser. Preferably, this is accomplished by sending the cookie from the Web server in a refresh page that redirects the HTTP flow back to itself with a parameter to check if the cookie was set. At the Web server, a test is then done to determine whether the cookie (returned from the browser) is valid. If so, the user is allowed to interact with the given server application (e.g., to take a given action or to log off from the application without closing the Web browser).
In the preferred embodiment, the cookie is an ASCII string generated by concatenating into a derived value a userid, password and other information, such as the client machine IP address. The derived value is then encrypted to generate a binary String, and the binary string is then encoded into the ASCII string. That string is then sent to the Web browser in the refresh page together with the check parameter to facilitate the automatic check (on whether the cookie was set on the browser). Given this cookie construction, the step of determining whether the cookie is valid begins by decoding the ASCII string to generate a resulting binary value. The resulting binary value is then decrypted to generate a resulting derived value. A test is then performed to determine whether the IP address in the resulting derived value matches an IP address of a client machine on which the Web browser is running. If so, another test is performed to determine whether the user name and password in the resulting derived value match the user""s user name and password. If so, the user is allowed to interact with the server application.
The given server application, in one embodiment, is a Lightweight Directory Access Protocol (LDAP) GUI interface.
The foregoing has outlined some of the more pertinent objects and features of the present invention. These objects should be construed to be merely illustrative of some of the more prominent features and applications of the invention. Many other beneficial results can be attained by applying the disclosed invention in a different manner or modifying the invention as will be described. Accordingly, other objects and a fuller understanding of the invention may be had by referring to the following Detailed Description of the Preferred Embodiment.