The present invention generally relates to a computer client-server environment. In particular, the invention relates to a method and system for providing secure transactions and for tracking the state of communications in a public network.
In an ever-increasing fashion, networks are used to transfer data among computers throughout the world. These networks utilize a protocol in which data groups, called packets, are requested by one computer and sent by another computer. With the prevalent use of the global public network known as the Internet, computers located remotely from each other can share information by requesting and delivering these packets. In a client-server environment, the client and a server are software or hardware applications which are used to communicate in a request/response manner. The separate client and server applications can be resident on a single computer or separated by thousands of miles in separate computers connected via a network.
The world-wide web, or "Web," is one such information system implemented on the Internet. The Web is based on hypertext technology, which allows certain elements of a document or "page" to be expanded or linked to other elements elsewhere on the "Web" of interconnected computers. The Web may be viewed by users via "browsers," which essentially are local computer programs that read hypertext documents and display graphics. The Web is gated or navigable via these hypertext documents and is structured using links between these documents. The address of individual documents are known as "universal resource locators," or "URLs."
In the Web's data exchange implementation, the local computer requesting information may be considered a "client" and the computer responding to the requests may be considered a "server." Data exchange between the client and server is performed via discontinuous, unrelated and standalone request/response pairs for information. In order to more efficiently handle requests from many clients, the server initiates a new connection for every request. This connection is subsequently broken after each response is transmitted. The server is thereafter available to service a new connection requested from another client.
For every request from the same client, a new connection must be established, although this typically is done fairly quickly. Consequently, a user (or client) who has made previous requests is treated no differently from one who has not. The server responds to each request for information in the order received. Thus, if the client is accessing the server in a series of interdependent cumulative steps, the client not only must request a new connection, but must resend the results of the previous requests to the server. The existence of a new connection and a new set of requests that is sent from the client to the server is often concealed from the user. Thus, the client transparently remembers the "state" of the exchanges between the client and the server, and returns this information to the server so that the exchange can continue appropriately. Often, this "state" information is sent with the URL in each new request.
With this configuration, the state information is stored primarily at the client. If the client does not reestablish a connection with a particular server immediately, some of the state information may become irrelevant or stale as the server updates its own database information. Thus, the state information stored at the client may become irrelevant or useless after a period of time, and the client will need to reestablish the current state with a particular server again.
As the number of cumulative requests to an "interesting" server increases, however, the required amount of information that the client must send to the server also increases. An "interesting" Web application running on a server must acquire and retain state information from the client. With the bandwidth limitations of conventional phone lines or network cable, the retransmitted information increases the amount of time it takes for a client to send a request to the server and to receive a response. More importantly, valuable or confidential information, such as credit card account numbers, is repeatedly sent and is subject to increased risk of interception by undesired parties. Furthermore, should the integrity of the communications link between the client and the server be interrupted at any time, much of the state information retained at the client or the server may be lost, thereby requiring the client to proceed through a previous series of requests to establish the state where communications broke off.
The following practical example illustrates these shortcomings in the prior art. In this example, a server runs a "site," or "Web application" program, which processes mail order requests for clothing. A consumer uses his computer, the client, to purchase a pair of pants over the Internet by executing a series of requests to a server:
Request No. 1: Client requests "pants." Client sends no state information. In response, the server gets list of pants and sends the data back to the client. Request No. 2: Client requests "brown" and sends state information "clothing = pants." In response, the server gets a list of brown pants and sends the data back to the client. Request No. 3: Client requests "show me size 32" and sends state information "color = brown"; "clothing = pants." In response, the server retrieves a list of brown size 32 pants and sends the data back to the client. Request No. 4: Client requests "show me cuffed" and sends state information "color = brown"; "size = 32"; "clothing = pants." Server retrieves from its database the one cuffed brown size 32 pair of pants and sends the data back to the client. Request No. 5: Client requests "buy these, my CC # is 1234-4321-1121-3231" and sends state information "clothing = pants"; "color = brown", "size = 32", "pantlegs = cuffed." Server retrieves from its database the brown size 32 cuffed pants, processes the purchase using client's credit card number, and sends an appropriate response to the client.
The relationship between the client and the server is "stateless," in that their communication consists of transmissions bounded by disconnects and reconnects for each new request or response pair. The amount of data sent from the client to the server typically increases with every request by the client in order to ensure that each request from the client is recognized by the server in relation to previous requests. As those skilled in the art will appreciate, the state information sent in the final request necessarily repeats all of the state information accumulated from all previous communications within the same context. It is thus conceivable that a lengthy transaction could require the transmission of hundreds of pieces of state information between the client and server.
It is an objective of the present invention to provide a method for minimizing the amount of information to be transmitted between the client and the server during these network transactions.
It is also an objective of the present invention to increase the security and reliability of the client-server communications.
It is a further objective of the present invention to centralize and secure client-specific data and retain it at the server.