Many web sites are secure, at least in part, requiring users to provide an identity and a password to access some or all of the services of that site, including services exposing personal data retrieved for that particular user. An online service such as Microsoft® .NET Passport enables a user to use an existing username (e.g., e-mail address) and a single password to securely sign in to any participating web site or service. In this manner, a user can securely sign in to a number of different web sites once, without needing to remember a different sign-in name and password at every web site, or repeatedly provide the same one in a browsing session.
More particularly, once the user signs in to a participating site, (e.g., www.participatingcompany.com), the site redirects the user to the .NET Passport site, which provides a form page through which a user provides credentials. If validated, the .NET site provides the user with a cookie (e.g., ticket) and automatically redirects the user to the site that was first accessed or other appropriate site or page therein, e.g., a page for that user.
Once a user is signed in to a site, information (e.g., one or more cookies) is saved on the user's computer so that the user need not again provide credentials for any other participating site during that session. If the user elects to save the cookie as a persistent cookie on the computer, (in contrast to a session cookie that is removed when the browser instance is closed), the credential validation is thereafter transparent to the user when accessing the Internet from that computer.
The Passport service was created as a single-sign on authentication service based on web forms and redirect capabilities of HTTP (HyperText Transfer protocol), i.e., the 302 response code, which indicates to browser code that a request should be automatically redirected to another location, in this case, the Passport authentication page. To this end, the HTTP 302 response is sent by the participating partner's server, including a header that indicates a Passport login server to which the request should be redirected. Since established browser functionality reissues a new request to the new location, when the browser code receives a 302 response, the request is automatically redirected. In this manner, the Passport login server presents the web-form based user interface through which the username and password is entered. When the credentials are valid, the login server responds with another 302 redirect, this time to an appropriate page on the site, (e.g., www.participatingcompany.com\WelcomeValidUser.htm or www.participatingcompany.com\YourAccount.asp).
While the above system is simple and functional, it suffers from technical limitations. For example, many new security enhancements and capabilities are built into contemporary operating systems or otherwise performed locally, including the ability to use different authentication protocols, (e.g., Kerberos, NTLM, Basic, Digest and so forth). While use of such local security features for obtaining authentication information is desirable, (as among other reasons, doing so generally provides relatively more security), using such local security was heretofore virtually impossible to implement without causing other problems. For example, to implement local-based authentication using existing HTTP mechanisms, not only would every participating server have to change the type of response sent when authentication was required, but every user's computer would have to be updated to handle the new type of response, which is not realistically possible.