1. Field of the Invention
The present invention is generally related to systems of performing commercial activities over a general access computer network and, in particular, to a system and method of conveniently and efficiently performing advertising responsive secure commercial purchase transactions over the Internet utilizing the World Wide Web.
2. Description of the Related Art
During the past few years, there has been a substantial growth in the quantity and diversity of information and services available over the Internet. The number of users of the Internet has similarly grown quite rapidly. Perhaps one if not the predominant area of growth on the Internet has been in the use of the World Wide Web, often referred to as WWW, W3, or simply "the Web." The hyper-text transfer protocol (HTTP) that serves as the foundation protocol for the Web has been widely adopted and multiply implemented in Web browsers and Web servers. Web browsers provide a convenient user application for receiving generally high quality text and graphical based information in a scrollable display page format. Such Web pages are related by embedded hyper-text links that reference other Web pages. Selection of a hyper-text link, either by direct reference or implied reference through an image map, causes a hyper-text jump to the selection referenced Web page. Selection is generally through a simple, single mouse click on a displayed portion of the text or graphics. This system of simply selecting relations makes browsing successive Web pages served from potentially quite diverse and distant Web servers convenient and intuitive, and accounts in large part to the rapid and wide acceptance of the Web as an information resource.
One of the anticipated uses of the Web has been to provide a venue for commercial transactions in products and services. However, commercial use of the Web has distinctly not met the anticipated potential for a number of reasons. These reasons include security, convenience of use, and efficiency. Regarding security, current conventional Web browsers generally provide for the use of a reasonably secure encryption protocol overlaid on the HTTP protocol. The encryption protocol, typically involving a key-exchange based encryption algorithm, permits individual transactions over the Internet to be secure. Consequently, sensitive information, such as credit card numbers and the like, can be reasonably transferred over the Internet with little risk that the information can be misappropriated and misused.
An exemplary security system utilized by conventional HTTP browsers and servers is known as the secure sockets layer (SSL). The secure sockets layer defines and implements a protocol for providing data security layered under various application protocols, such as HTTP in particular, and over a conventional TCP/IP communications stack. The secure sockets layer protocol discretely provides the potential for data encryption, server authentication, message integrity, and client authentication for supported protocol connections over a TCP/IP connection. In use, the secure sockets layer is implemented at both the client browser and server ends of a network connection. A conventional uniform resource locator (URL), utilizing "https" as the secure HTTP protocol identifier, is issued by the client browser to specifically request a secure client/server session. A series of handshake transactions are provided to negotiate the establishment of the secure session including performing an encryption key exchange that is used in an encryption algorithm implemented by both the client-side and server-side secure sockets layers.
As part of this handshaking, the client browser may also retrieve the authentication certificate of the server for validation against a known certificate authority to ensure that the server is not an imposter. The secure HTTP protocol permits the server to also request and validate the authentication certificate, if any, held by the client. However, in general, client browsers and, more specifically, their client host computer systems are rarely registered with a publicly accessible authentication certificate authority. Thus, general use of client certificate authentication is not a viable means for identifying specific client users or client computer systems.
As a consequence, commercial use of the Web to sell products and services practically requires the establishment of a forms based user identification scheme, typically based on user name and password, by the server system to securely identify and re-identify a specific client user. Providing the user name and password to initiate each purchase session with a particular server is the minimum required to authenticate the client user. The underlying secure HTTP protocol session ensures that the user name and password are securely transmitted in an encrypted form over the Internet to the correct server. By the fundamental nature of the key exchange encryption algorithm used, only the server can decrypt to clear text the user name and password provided from the client browser.
A secure HTTP session may span a number of individual HTTP transactions between a client browser and server. With each of these individual transactions, the exchange keys are in effect permuted synchronously by both the browser and server to vary the encryption coding used for each transaction. However, each established secure HTTP session requires definite closure to prevent a security breach commonly known as a "third party assumption of identity attack." That is, a third party may be able to continue the secure session started by another client browser relative to the server. Since client user authentication only occurs at the initiation of the secure session, the third party fully assumes the authorization of the session initiating client browser.
Consequently, commercial transactions over the Internet conventionally requires three distinct phases in order to securely perform a purchase transaction. The first phase, conducted once a secure HTTP session is established, is a logon transaction where the client user provides a user name and password for authentication by the server. Once authenticated, a second or selection phase allows the client user to select products and services for purchase. The server system must in some way continually track and manage the selections made by the client. The server may record or log each selection against the client account as the selections are made. This second phase is therefore an extended transaction that is made up of many discrete HTTP transactions. Such an extended selection transaction is subject to failure for a variety of conventional reasons, including simply an extended delay in the selection process, resulting in an incomplete or incorrect record of partial purchase selections being kept by the server system. Without authoritative closure of the purchase transaction, the server system typically aborts the purchase and discards the record of selected items.
A facility known as persistent client-side cookies has been introduced to provide a way for server systems to store selected information on client systems. Cookies are created at the discretion of the server system in response to specific client URL requests. Part of the server response is a cookie consisting of a particularly formatted string of text including a cookie identifier, a cookie path, a server domain name and, optionally, an expiration date, and a secure marker. The cookie is automatically discarded by the client system based on the expiration date. If the secure marker is present, then the cookie is only returned to a server system during a secure transaction. Where a URL client request made by the client, the cookie paths and domain names of cookies stored by the client are compared with those of the URL request. Cookies with matching paths and domain names are passed with the client URL request to the server system. Any text associated with the identifier is also passed back to the server system. In Internet purchasing applications, the identifiers and associated text can be used to store information about the current purchase selections.
Finally, the third phase requires some action on part of the client user to initiate closure of the purchase transactions and secure session. Typically, the third phase is entered when the client user indicates that all product and service selections are complete. A summary order confirmation form is then presented by the server. The purchase transaction and the secure session are closed on acceptance or cancellation of the order as presented.
The convenience of conventional purchase transactions via the Internet, however, leaves much to be desired. Because of the security concerns, a secure purchase session is limited to encompassing a single vendor at a time due to the required three phase login, select, commit purchase protocol required to ensure the integrity of a secure purchase session. Not only is the three phase purchase transaction itself self-evidently cumbersome and thereby a limiting barrier to convenient use by client users, but many purchase may involve only a single purchasable item or some number of items that are available only from distinctly different vendors. Where the purchase transaction is only for a single item, the necessity of executing a complete three phase purchase protocol distinctly reduces the likelihood that a client user will actually bother to make the purchase. A greater barrier exists where the purchase transaction, from the client user's perspective, is of multiple items from multiple vendors. The necessity of completing independent three phase purchase transactions with each of the vendors, particularly where the purchased items are not entirely planned for or subject to comparative inter-dependant selection, presents a significant barrier to the client user conveniently and expediently making the purchase of products and services. The three phase purchase transaction is simply cumbersome and limiting and will become more so as products and services are more widely available from different vendors over the Web.
Another aspect of convenience relates to the speed at which purchase transactions can be performed and the efficiency of the vendors in fulfilling the order for products and services. The implicit requirement for a three phase purchase transaction is fundamentally slow due to the requirement of client user planning of the purchase transactions where products or services are to be procured from independent vendors and alternately by requiring a decision to purchase to be made prior to determining or selecting precisely what will be purchased.
In addition, the conventional three phase purchase transaction greatly limits the flexibility of different types of vendors from being able to deliver ordered products and services in their chosen most efficient manner. All products selected during a secure purchase session are, in effect, ordered from the single vendor regardless of whether another vendor might actually be the source of a product or service sold. The server vendor receives the entire order and must independently place orders with supporting vendors by conventional means. As an implicit result electronic catalog vendors, agent vendors, and order-clearinghouse type vendors are constrained to separately processing each and every ordered product or service to lower-tier vendors. Although an electronic catalog vendor, for example, might wish to have each lower-tier vendor directly fulfill their part of an order, the server vendor must itself discriminate which products are to be sourced by which lower-tier vendor and provide shipping and indirect billing information. In general, direct order fulfillment from multiple vendors, though the purchase transaction appears to be simply with the electronic catalogue vendor, would be significantly more efficient for both the end user and the involved vendors. Products and services would be shipped or provided sooner and with less opportunity for error, while ordered products and services are automatically processed through to the correct vendor with the correct billing and shipping information.
Consequently, there is a clear need for the ability to perform purchase transactions over the Internet that are secure, convenient and efficient both for a client user and the many different vendors of products and services available over the Internet.