1. Technical Field
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for managing sessions in a client/server environment. Still more particularly, the present invention provides a method and apparatus for securing hypertext transfer protocol sessions.
2. Description of Related Art
The worldwide network of computers commonly known as the “Internet” has seen explosive growth in the last several years. Mainly, this growth has been fueled by the introduction and widespread use of so-called “web browsers,” which enable simple graphical user interface-based access to network servers, which support documents formatted as so-called “web pages.” A browser is a program that is executed on a graphical user interface (GUI) in a client computer. The browser allows a user to seamlessly load documents from a server via the Internet and display them by means of the GUI. These documents are commonly formatted using markup language protocols, such as hypertext markup language (HTML).
The client and the web server typically communicate using hypertext transport protocol (HTTP). However, when a client is accessing sensitive information from a web server, a secure protocol may be used. Hypertext transport protocol secure is the protocol for accessing a secure Web server. Using HTTPS in the uniform resource locator (URL) instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. The session is then managed by a security protocol. Secure sockets layer is the leading security protocol on the Internet. When a session is started in SSL, the browser sends its public key to the server so that the server can securely send a secret key to the browser. The browser and server exchange data via secret key encryption during that session.
However, HTTP is a stateless protocol. Therefore, every request from an HTTP client to an HTTP server is a new request and no state is maintained between requests. Conventionally, HTTP cookies are used to maintain a client-side state whereas sessions are used to manage the state information on the server side. A cookie is data created by a web server that is stored on a client computer. A cookie is used to keep track of a user's patterns and preferences and, with the cooperation of the Web browser, is stored within the client computer. Cookies contain a range of URLs for which they are valid. When the browser encounters those URLs again, it sends the appropriate cookies to the Web server.
A session is used to track the activities of a user. For example, a session may be created to allow a user to add items to a “shopping cart” using a plurality of individual requests. A session may also allow a user to use a web interface to search a database. Web interfaces may also be used to control equipment from remote locations. As web interfaces become increasingly popular, the security of sessions used to manage multiple transactions by individual clients becomes exceedingly important. Normally, a session is created on the server side. To associate a session with a user, a random number, referred to as a session identification (ID), is generated and associated with the user. The session ID is sent back to the browser as a cookie or through a URL rewriting mechanism.
When an HTTP request is received, the server verifies if a session ID is present. If an ID is present, the related session data is retrieved and the request is processed based on the session data. However, the server cannot verify that the user submitting the request is the same user to whom the session ID was originally assigned. Hence, a security loophole exists where an unauthorized user may submit a valid session ID. The session ID may be obtained by repeatedly submitting requests with potential session identifications until access is granted. Alternatively, the ID may be “sniffed” from the network by monitoring data traffic flow. The session ID may be obtained in this manner when a request is transmitted through an unsecure protocol, such as HTTP, as opposed to a secure protocol, such as HTTPS or SSL. In many web application server products, the security of session information is tied only to the randomness of the session ID under the assumption that the bit length of the number is high enough to prevent an unauthorized user from generating the same number in a short period of time. However, the likelihood of hijacking the session ID is not ruled out completely.
Therefore, it would be advantageous to have an improved method and apparatus for securing session information of users in a web application server environment.