Recently, various web services have been provided to users in online environment. Some web service providers require users to join the membership and pass user authentication to receive their services under members' authority.
For the web services to be provided the members in a safe manner, privacy and security should be guaranteed together with assignment of authority to the members. That is, if a user authentication process is completed, it is desirable that the members do not feel inconvenient in using the web services according to their authorities while a specific session is maintained, but as to a web service which requires user authentication, the members' security should be protected.
FIG. 1 provides a schematic view showing a conventional user authentication system. The conventional user authentication system includes a client 10, a login server 20 and a service web server 30. The conventional user authentication system maintains a user session by using a session cookie and provides a web service.
The client 10 inputs user's ID and a password into a login page of a web browser and transmits the ID and password to the login server 20 (S1).
The login server 20 for performing a user authentication allows login when the ID and password are identical with those which have already been registered in a user database (not illustrated) and transmits the session cookie for maintaining the session to the client (S2).
A cookie includes character string information which is transmitted to the web browser of a client by a web server and is sent back to the server upon a request of the server. The cookie may include data regarding who viewed what information of which web site.
The session cookie may include various kinds of personal information such as an ID, an e-mail address, a name, a birth date, sex, or the like.
When the client 10, after login, wants to use a web service corresponding to a specific URL of the service web server 30, the client 10 transmits the relevant URL and the session cookie (S3).
In response to transmission of the URL, the service web server 30 checks whether or not the session cookie is still valid (e.g., checking timeout) and then if still valid, the service web server 30 provides a web service corresponding to the URL, and if timeout is ascertained, a message of “access denied” or a message of “timeout” is notified. (S4, S5)
The conventional system, however, has a drawback in that the session cookie may be hijacked by an illegal user such as a hacker or the like. For example, the hacker may use a malicious program to steal a packet transmitted from the client PC, which is called ‘sniffing.’ Since the character string of the session cookie is encrypted, it is not easy to find an ID and a password even if the session cookie is hijacked. Nonetheless, once the session cookie is hijacked, it can be used by others to access a specific web service.
In a method that has been proposed to solve this Problem, only the session cookie transmitted from a predetermined IP address is used for user authentication. This method, however, is not suitable for the current and future ubiquitous environment and network portability. In particular, a significant number of users use a plurality of IP addresses, for example, when the location of the client is changed (e.g., from home or office to an internet cafe), when a wireless LAN using a dynamic IP assignment is used or when a private network with a NAT (Network Address Translation) device is used. Accordingly, the method has become an obstacle to a frequent use of web services.
There is thus a need for an advanced user authentication system and a method thereof.
The above information disclosed in this Background Art section is only for enhancement of understanding of the background of the invention and therefore it may contain information that does not form the prior art that is already known in this country to a person of ordinary skill in the art.