The Internet is by far the largest, most extensive publicly available network of interconnected computer networks that transmit data by packet switching using a standardized Internet Protocol (IP) and many other protocols. The Internet has become an extremely popular source of virtually all kinds of information. Increasingly sophisticated computers, software, and networking technology have made Internet access relatively straightforward for end users. Applications such as electronic mail, online chat and Web browser allow the users to access and exchange information almost instantaneously.
The World Wide Web (WWW) is one of the most popular means used for retrieving information over the Internet. WWW can cope with many types of data which may be stored on computers, and is used with an Internet connection and a Web browser. The WWW is made up of millions of interconnected pages or documents which can be displayed on a computer or other interface. Each page may have connections to other pages which may be stored on any computer connected to the Internet. Uniform Resource Identifiers (URI) is an identifying system in WW, and typically consists of three parts: the transfer format (also known as the protocol type), the host name of the machine which holds the file (may also be referred to as the Web server name) and the path name to the file. The transfer format for standard Web pages is Hypertext Transfer Protocol (HTTP). Hyper Text Markup Language (HTML) is a method of encoding the information so it can be displayed on a variety of devices.
HTTP is the underlying transactional protocol for transferring files (text, graphic images, sound, video, and other multimedia files) between clients and servers. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. A Web browser as an HTTP client typically initiates a request by establishing a TCP/IP connection to a particular port on a remote host. An HTTP server monitoring that port waits for the client to send a request string. Upon receiving the request string (and message, if any), the server may complete the protocol by sending back a response string, and a message of its own, in the form of the requested file, an error message, or any other information. Web pages regularly reference to pages on other servers, whose selection will elicit additional transfer requests. When the browser user enters file requests by either “opening” a Web file by typing in a Uniform Resource Locator (URL), or clicking on a hypertext link, the browser builds an HTTP request. In actual applications, when a plurality of clients connect to a cluster of servers, clients may need to be distinguished and authenticated, the servers need to maintain session state, and the clients need to be directed to the same server for the duration of the session. Otherwise, the client may reconnect to a different server than the one it started the session with. The servers may use a state management mechanism based on session token.
The identity of the user is authenticated through the presentment and validation of a set of credentials at the start of a token based session, for example the validation of an ID and password, the validation of any other type of information that derives from information that the user knows, or the validation of various characteristics, such as biometric credentials. After authentication, the identity of the user is established and this identity may be used by the underlying Web application to ensure that the user is handled in an appropriate way. Typically, this includes ensuring that the user has been given authorization to perform requested privileged activities. This identity may also be used to ensure correct association with other information related to identity, such as valid financial instruments. Authentication results in the return of an authentication token from the authenticating server to the client. The authentication token may be in a session cookie when implemented in HTTP protocol.
The authentication token is presented with each subsequent request from the client. When a client sends a message, the client sends the authentication token, along with the message, to signify the authenticated identity of the client. The authentication token is provided in lieu of authentication credentials because the receiving system may recognize the authentication token and use the authentication token to retrieve information about the previously authenticated client. The session cookie with the authentication token may also be used by the server to compare information about the current session with previously stored information. Session information may include information about the original credentials presented plus session attributes such as duration, originating system or network, and more. Secure session management therefore involves a system where the client submits the session cookie with each request, and the receiving system validates the cookie with each request.
By a request from the client, the secured session may be terminated. Upon termination of a session, if the client system subsequently attempts to present the authentication token that corresponds to the terminated session, an error will occur and the target of the request will reject the request.
However, nowadays it is quite possible for a user at a client site to establish simultaneously a plurality of sessions to a plurality of servers during one log-on. Furthermore, the client may establish an authentication session with an authentication server, and receive one or more authentication for one or more server in other independent sessions.
The user may not be aware of the additional sessions, or forget to terminate one of the sessions. In this scenario, one of the secured sessions is still unknowingly maintained, thus compromise the security of the client-server system. The prior art method and system failed to address this shortcoming.
US patent application 20040128547 for example describes a system a modular authentication means with an authentication server module made available for various remote applications for use to facilitate authentication of users. An authentication client interfaces with an authentication server module to transmit the authentication information. When a client receives a request to perform a task from a user, the client forwards the request to a module that is configured to authenticate the user. The authentication module verifies the identity of the user. The authentication module may supply a session cookie indicative of the verification. Thereafter, the pre-determined permissions of the user are determined. After it is determined that the user has permission to perform the requested task, the requested task is then performed. The permissions may be stored in an access control list that contains data regarding the identity and privileges of the user.
U.S. Pat. No. 7,225,464 attempts to identify a user session with the help of a federated convention known as domain name service (DNS). The DNS provides a look-up service for IP addresses on a network for navigating purposes. The service finds an IP address for a querying machine. IP addresses are both allocated and assigned depending on the type of use and class of the address. A client machine that is transient will retain the same IP address only while it is logged on to the Internet during a single network session. Therefore the DNS system can identify a specific machine during a multi-site browsing session. It is envisioned that the host of a password protected or otherwise secure Web site or Web function could identify a user remotely by knowing the user ID at a level that is more granular than the IP address and could validate the state of a session from a reliable source. A session cookie after a first successful authentication by the user at a Web site during a network session, the token cached at a server and at the user's machine or proxy machine and wherein upon navigation by the user to a next Web site or form requiring secure authentication, the token is used to identify the user and a remote call is used to validate the user session instead of requiring manual authentication procedures.
These prior art systems and methods do not address the possible security risks for failure to terminate one of the sessions.
Accordingly, systems and methods are therefore needed in order to overcome these and other limitations of the prior art.
There is further a need to synchronize the session between a client and a plurality of servers in a plurality of sessions.