1. Field of the Invention
The present invention relates to a security system for validating Web-Based requests, and more specifically, to a security system whereby web browser users can interact with transaction applications implemented using an incompatible security technique.
2. Description of the Prior Art
The methods by which companies conduct business with their customers are undergoing fundamental changes, due in large part to World Wide Web technology. In addition, the same technology that makes a company accessible to the world, may be used on internal company networks for conducting operational and administrative tasks.
One of the technologies underlying the World Wide Web is the web browser. Web browsers have become a de facto user interface standard because of their ability to interpret and display information having standard formats (e.g., HyperText Markup Language (HTML), standard test, GIF, etc.). Client software programs, popularly referred to as web browsers (e.g., Mosaic, Netscape Navigator, Microsoft Internet Explorer, etc.), execute on client systems and issue requests to server systems. The server systems typically execute HyperText Transport Protocol (HTTP) server programs which process requests from the web browsers and deliver data to them. The system that executes an HTTP server program and returns data to the web browser will hereinafter be referred to as a Web Server System. An HTTP server program itself will be referred to as a web server.
A Web Server System has access to on-line documents that contain data written in HyperText Markup Language (HTML). The HTML documents contain display parameters, capable of interpretation by a web browser, and references to other HTML documents and web servers (source: World Wide Web: Beneath the Surf, from UCL Press, by Mark Handley and Jon Crowcroft, on-line at http://www.cs.ucl.ac.uk/staff/jon/book/book.html).
As web browsers are making their mark as a xe2x80x9cstandardxe2x80x9d user interface, many businesses have a wealth of information that is managed by prior art data base management systems such as DMS, RDMS, DB2, Oracle, Ingres, Sybase, Informix, and many others. In addition, many of the database management systems are available as resources in a larger transaction processing system. There are also mission critical applications which still reside on enterprise servers, since these type of systems have resiliency and recovery features historically not available on other smaller types of servers.
One key to the future success of a business may lie in its ability to capitalize on the growing prevalence of web browsers in combination with selectively providing access to the data that is stored in its databases. Common Gateway Interface (CGI) programs are used to provide web browser access to such databases.
The Common Gateway Interface (CGI) is a standard for interfacing external applications, such as web browsers, to obtain information from information servers, such as web servers. The CGI allows programs (CGI programs) to be referenced by a web browser and executed on the Web Server System. For example, to make a UNIX database accessible via the World Wide Web, a CGI program is executed on the Web Server System to: 1) transmit information to the database engine; 2) receive the results from the database engine; and 3) format the data in an HTML document which is returned to the web browser. CGI variables typically include information such as the IP address of the browser, or the port number of the server.
Often associated with CGI Variables, cookies are packets of information which may be sent back to a user system after the user accesses a web site. These packets of information indicate how a user utilized various functions associated with the site. This information will be stored on the user system along with the Uniform Resource Locator (URL) for the web site, and the information is passed back to the server if the user accesses the web site again.
Server software uses the user history provided by the cookies to make decisions regarding how the user request is to be handled. For example, assume the web site involves history. The cookie information will inform the server that the current request is from a user interested in the Civil War. This allows the server to provide the user with advertisements on books related to the Civil War.
There is a growing need for greater assurances that information being passed along the Internet is secure and will not be intercepted. Some of the problems involved with Internet hacking include stolen access, stolen resources, email counterfeiting, vandalization, and Internet agents (worms) (source: Matteo Foschetti, Internet Security, California State University, Fullerton, April 1996, available on-line at: http://www.ecs.fullerton.edu/xcx9cfoschett/security.html). Many consumers have the general perception that transacting business on the Internet is not safe, thus they are reluctant to participate in Internet activities such as online shopping, sending messages, submitting to newsgroups, or web surfing. Although some people""s perception of Internet security breaches may be somewhat overblown, figures do prove the vulnerability of the Internet. It has been estimated that over 80% of all computer crimes take place using the Internet. With over 30,000 interconnected networks and 4.8 million attached computers including over 30 million users, there is a legitimate Internet security concern.
Businesses are faced with the challenge of adapting their present usage of yesterday""s technology to new opportunities that are made available with the World Wide Web. Most business application software and underlying databases are not equipped to handle interaction with web browsers. It would therefore be desirable to have a secure, flexible and efficient means for allowing interoperability between enterprise-based business application software and the World Wide Web. Unfortunately, because many of the existing commercial data base systems were implemented before the internet, they often times have different and incompatible security approaches from those utilized by commercially available web browsers.
The present invention overcomes many of the disadvantages associated with the prior art by providing a system and method which allows the secure interchange of transaction information between a web browser user employing a first security approach and an existing On-Line Transaction Processing (OLTP) enterprise server employing a second security approach. Previously, it was necessary to conform the web browser and enterprise server security systems, or conduct only unprotected and non-secure transactions.
Many existing OLTP systems have security systems with closed and application imbedded security logic. These techniques developed in an era in which user terminals tended to lack the processing capability to actively participate in the security effort. However, current web based systems have basic user terminals which are personal computers having substantial processing capability. As a result, open and terminal intensive security systems have become the norm.
As a result of the need to add security provisions to web based applications and the availability of user terminal processing capability, the current commercial browsers (e.g., Microsoft Internet Explorer, Netscape Navigator, etc.) have been equipped with Secure Socket Layer (SSL) and other standardized security techniques. These standardized approaches are most concerned with providing security for each individual data transfer. Wherein as this type of security is important, it is primarily directed to web information gathering activities.
Many typical existing applications on the OLTP enterprise servers involve transaction sessions. These require a user to xe2x80x9csign-onxe2x80x9d with a user-id and password. The purpose of this sign-on is to identify the user and the user""s level of access to the OLTP enterprise server. Following validation of the user-id and password, the user typically interacts with the OLTP enterprise server over a period of time during which numerous data transmissions are made in both directions.
In accordance with the preferred mode of the present invention, the facility is provided to ensure security for each session and each individual data transmission within each session. This is accomplished by providing an overall security environment in which each individual data transmission is protected by the standards based security system of the commercial web browser. Simultaneously, session security is maintained through the use of the enhanced security protocol of the present invention. Sign-in and sign-off is performed over the internet from the web browser. Each individual transaction within the session is separately checked to ensure that it communication with the validated user-id and password of the session user.