(12) United States Patent
`Howard et al.
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`US 6,584,505 B1
`Jun. 24, 2003
`
`US006584505B1
`
`(54) AUTHENTICATING ACCESS TO A
`NETWORK SERVER WITHOUT
`COMMUNICATING LOGIN INFORMATION
`THROUGH THE NETWORK SERVER
`
`10/2001 Koehler
`6,301,658 B1
`6,317,838 B1 * 11/2001 Baize ....................... .. 380/244
`g1
`llgwrlayd
`;
`;
`OW an
`2002/0002688 A1 * 1/2002 Gregg et a1. .............. .. 709/201
`
`(75)
`
`(73)
`
`Inventors: John Hal Howard, Redmond, WA
`(US); J e?'rey C. Kunins, Seattle, WA
`(US); Darren L. Anderson, Bellevue,
`WA (US); Ryan W. Battle, Seattle, WA
`(US); Max E. Metral, Boston, MA
`(Us)
`Assignee: Microsoft Corporation, Redmond, WA
`(Us)
`
`(*)
`
`Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21)
`(22)
`(51)
`(52)
`(58)
`
`(56)
`
`Appl. No.: 09/349,619
`Filed:
`Jul. 8, 1999
`
`Int. Cl.7 ............................................ .. G06F 15/170
`U.S. Cl. ...................... .. 709/225; 709/227; 709/229
`Field of Search ....................... .. 370/338; 380/244;
`709/201, 225, 227, 229
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,586,260 A 12/1996 Hu
`5,590,199 A 12/1996 Krajewski, Jr. et 211.
`5,649,099 A
`7/1997 Theimer et 211.
`5,684,950 A 11/1997 Dare et 211.
`5,778,065 A
`7/1998 Hauser et 211.
`6,088,450 A
`7/2000 Davis et 211.
`6,105,131 A
`8/2000 Carroll
`6,148,402 A 11/2000 Campbell
`6,189,103 B1
`2/2001 NevareZ et 211.
`6,198,824 B1
`3/2001 Shambroom
`6,256,741 B1
`7/2001 Stubblebine
`6,263,432 B1
`7/2001 SasmaZel et 211.
`6,278,705 B1 * 8/2001 Chau et a1. ............... .. 370/338
`6,279,111 B1
`8/2001 Jensenworth et 211.
`6,292,895 B1
`9/2001 Baltzley
`
`OTHER PUBLICATIONS
`
`Kohl et al., “The Kerberos Network Authentication Server
`(V5),” Network Working Group RFC 1510, WWW.CIC.o
`hio.edu, Sep. 1999 (retrieved at http://WWW.ietf.org/rfc/
`rfc1510.txt?number=1510).
`* cited by examiner
`
`Primary Examiner—Le Hien Luu
`(74) Attorney, Agent, or Firm—Lee & Hayes, PLLC
`(57)
`ABSTRACT
`
`A system determines Whether to grants access to a netWork
`server by a user. Initially, a user attempts to gain access to
`a netWork server, such as a Web server. Prior to granting
`access to the netWork server, the netWork server authenti
`cates the user by sending an authentication request to an
`authentication server. The authentication server determines
`Whether the user Was already authenticated by the authen
`tication server. If the user Was already authenticated by the
`authentication server, then the netWork server is noti?ed that
`the user is authenticated. The netWork server then grants the
`user access to the netWork server. If the user Was not already
`authenticated by the authentication server, then login infor
`mation is retrieved from the user and compared to authen
`tication information maintained by the authentication server.
`If the retrieved login information matches the authentication
`information, then the netWork server is noti?ed that the user
`is authenticated. The retrieved login information and the
`authentication information is concealed from the netWork
`server. If the user is authenticated, then a user pro?le is
`communicated to the netWork server along With the noti?
`cation that the user is authenticated. If the user is success
`fully authenticated, then a cookie is provided to an Internet
`broWser operated by the user. The cookie contains informa
`tion regarding user authentication, the user’s pro?le, and a
`list of netWork servers previously visited by the user.
`
`54 Claims, 6 Drawing Sheets
`
`,4 104
`M; r
`
`105
`
`V,
`/
`
`Af?liale Server
`
`Affiliate Serve r
`
`Af?liale Server
`
`Client
`Computer System
`
`Authentication
`Server
`
`/’ 1 12
`Aulhenlication ’
`Database
`
`Facebook and WhatsApp Exhibit No. 1007
`Page 1
`
`

`
`U.S. Patent
`
`Jun. 24, 2003
`
`Sheet 1 0f 6
`
`US 6,584,505 B1
`
`104
`
`106
`
`108
`
`Affiliate Server
`
`Affiliate Server
`
`Af?liate Server
`
`Client
`Computer System
`
`Authentication
`Server
`
`1 12
`
`Authentication
`Database
`
`Facebook and WhatsApp Exhibit No. 1007
`Page 2
`
`

`
`Facebook and WhatsApp Exhibit No. 1007
`Page 3
`
`

`
`U.S. Patent
`
`Jun. 24, 2003
`
`Sheet 3 0f 6
`
`US 6,584,505 B1
`
`104
`
`Af?iiate
`Server
`
`Client
`
`100
`
`Authentication
`Server
`
`1 10
`
`Computer System ///F
`
`Facebook and WhatsApp Exhibit No. 1007
`Page 4
`
`

`
`U.S. Patent
`
`Jun. 24, 2003
`
`Sheet 4 0f 6
`
`US 6,584,505 B1
`
`User of Client Computer System Accesses a
`Web Page on the Af?liate Server (A)
`i
`
`200
`
`? . 4
`‘g:
`
`[Af?liate Server Determines that the User is not“
`_
`_
`Authenticated and Redlrects the User Browser
`to Authentication Sewer (B and C)
`
`/— 202
`
`.
`
`.
`
`.
`
`/— 204
`
`l
`[ Authentication Server Generates a Sign-In \
`Web Page, Wh|ch IS Communlcated to the
`User's Browser (D)
`
`J
`
`l
`
`User Completes Sign-In Page and Clicks \ /_ 206
`"Sign-In" to Send Information to Authentlcatlon
`Server (E)
`J
`
`User-Entered Information Correct?
`
`208
`
`Yes
`
`No
`
`210
`
`[ Generate and Communicate a 1
`
`Web Page to User Indicating
`Failed Authentication
`
`[ Authentication Server Sets Cookies and P
`Redlrects the User Browser to the Af?liate
`Server (F)
`
`l
`
`X
`User Pro?le Information Communicated to /— 214
`Af?liate Server (G)
`
`l
`[Affiliate Server Generates a Personalized WebN
`_
`Page and Communlcates the Web Page to the
`User's Browser (H)
`J
`
`/— 216
`
`Facebook and WhatsApp Exhibit No. 1007
`Page 5
`
`

`
`U.S. Patent
`
`Jun. 24, 2003
`
`Sheet 5 0f 6
`
`US 6,584,505 B1
`
`104
`
`Af?liate
`Sewer
`
`Client
`Computer System
`
`100
`
`/
`
`Authentication
`Server
`
`1 10
`
`Facebook and WhatsApp Exhibit No. 1007
`Page 6
`
`

`
`U.S. Patent
`
`Jun. 24, 2003
`
`Sheet 6 6f 6
`
`US 6,584,505 B1
`
`[ User of Client Computer System Accesses] /_ 230
`Web Page on the Af?liate Sewer (A)
`J
`L
`{Af?liate Server Determines that the User is no?
`_
`I
`Authentlcated and Redirects the User Browser
`to the Authentication Server (B and C) J
`
`/— 232
`
`l
`
`234
`Authentication Server Retrieves Af?liate \
`lnformation and Determines Whether the Most /—
`Recent Authentication is Acceptable to Affiliate J
`
`? . 6
`
`6?.
`
`236
`
`Most Recent Authentication
`Acceptable?
`
`Retrieve and
`Authenticate User
`Information
`
`Authentication Server Copies Cookies to Client
`Computer System and Redirects User Browser
`to the Af?liate Server (D)
`
`l
`
`240
`
`User Profile Information Communicated to the
`Af?liate Server (E)
`
`242
`
`l
`[Affiliate Server Generates a Personalized Web]/ 244
`Page and Communicates the Web Page to the
`User's Browser (F)
`
`Facebook and WhatsApp Exhibit No. 1007
`Page 7
`
`

`
`US 6,584,505 B1
`
`1
`AUTHENTICATING ACCESS TO A
`NETWORK SERVER WITHOUT
`COMMUNICATING LOGIN INFORMATION
`THROUGH THE NETWORK SERVER
`
`TECHNICAL FIELD
`
`This invention relates to user authentication systems.
`More particularly, the invention relates to the authentication
`of a user through an authentication server prior to granting
`access to an af?liate server. The authentication system also
`provides a mechanism for the central storage of user pro?le
`information.
`
`BACKGROUND OF THE INVENTION
`The recent groWth in popularity of the Internet has
`signi?cantly increased the number of Internet users and the
`number of Internet sites (also referred to as “Web sites”).
`Web sites may provide various types of information to users,
`offer products or services for sale, and provide games and
`other forms of entertainment. Many Web sites require users
`to “register” by providing information about themselves
`before the Web server grants access to the site. This regis
`tration information may include the user’s name, account
`number, address, telephone number, email address, com
`puter platform, age, gender, or hobbies. The registration
`information collected by the Web site may be necessary to
`complete transactions (such as commercial or ?nancial
`transactions). Additionally, information can be collected
`Which alloWs the Web site operator to learn about the visitors
`to the site to better target its future marketing activities or
`adjust the information provided on the Web site. The col
`lected information may also be used to alloW the Web site to
`contact the user directly (e.g., via email) in the future to
`announce, for example, special promotions, neW products,
`or neW features of the Web site.
`When registering With a Web site for the ?rst time, the Web
`site typically requests that the user select a login ID and an
`associated passWord. The login ID alloWs the Web site to
`identify the user and retrieve the user’s information during
`subsequent user visits to the Web site. Generally, the login ID
`must be unique to the Web site such that no tWo users have
`the same login ID. The passWord associated With the login
`ID alloWs the Web site to authenticate the user during
`subsequent visits to the Web site. The passWord also prevents
`others (Who do not knoW the passWord) from accessing the
`Web site using the user’s login ID. This passWord protection
`is particularly important if the Web site stores private or
`con?dential information about the user, such as ?nancial
`information or medial records.
`If a user visits several different Web sites, each Web site
`may require entry of similar registration information about
`the user, such as the user’s name, mailing address, and email
`address. This repeated entry of identical data is tedious When
`visiting multiple Web sites in a short period of time. Many
`Web sites require the user to register before accessing any
`information provided on the Web site. Thus, the user must
`enter the requested registration information before they can
`determine Whether the site contains any information of
`interest.
`After registering With multiple Web sites, the user must
`remember the speci?c login ID and passWord used With each
`Web site or other Internet service. Without the correct login
`ID and passWord, the user must re-enter the registration
`information. Aparticular user is likely to have different login
`IDs and associated passWords on different Web sites. For
`
`2
`example, a user named Bob Smith may select “smith” as his
`login ID for a particular site. If the site already has a user
`With a login ID of “smith” or requires a login ID of at least
`six characters, then the user must select a different login ID.
`After registering at numerous Web sites, Bob Smith may
`have a collection of different login IDs, such as: smith,
`smithl, bmith, smithb, bobsmith, bobismith, and smithbob.
`Further, different passWords may be associated With differ
`ent login IDs due to differing passWord requirements of the
`different Web sites (e.g., passWord length requirements or a
`requirement that each passWord include at least one numeric
`character). Thus, Bob Smith must maintain a list of Web
`sites, login IDs, and associated passWords for all sites that he
`visits regularly.
`SUMMARY OF THE INVENTION
`The invention alloWs a Web user to maintain a single login
`ID (and associated passWord) that provides access to mul
`tiple Web servers or services. Once the user has logged into
`an authentication server, it is not necessary to re-enter the
`login ID or user information When accessing other affiliated
`Web servers. The single login ID has an associated user
`pro?le that contains the registration information typically
`requested by Web servers during a user registration process.
`The authentication server authenticates each login ID using
`the associated passWord. The individual Web servers are not
`required to authenticate the individual users. Further, to
`protect the user’s passWord, the individual Web servers do
`not receive the user’s passWord. Instead, the individual Web
`servers receive an indication of Whether the user is logged
`into the authentication server and hoW long since the user
`login ID Was last authenticated by the authentication server.
`The Web servers execute a code sequence that alloWs each
`Web server to interact With the authentication server.
`An implementation of the invention receives a request
`from a netWork server to authenticate a user Who is attempt
`ing to gain access to the netWork server. The process
`determines Whether the user Was already authenticated by
`the authentication server. If the user Was already
`authenticated, then the netWork server is noti?ed that the
`user is authenticated. If the user Was not already authenti
`cated by the authentication server, then login information is
`retrieved from the user and compared to authentication
`information maintained by the authentication server. The
`netWork server is noti?ed that the user is authenticated if the
`retrieved login information matches the authentication infor
`mation.
`Other aspects of the invention provide for the determina
`tion of an elapsed time since the last authentication of the
`user. If the elapsed time since the last authentication of the
`user exceeds a timeout period identi?ed by the netWork
`server, then the authentication of the user is refreshed.
`In the described implementation of the invention, the
`user’s login information and the authentication information
`maintained by the authentication server is concealed from
`the netWork server.
`In accordance With another aspect of the invention, a user
`pro?le is communicated to the netWork server When pro
`viding notice that the user is authenticated.
`Another aspect of the invention provides a cookie to an
`Internet broWser operated by the user if the retrieved login
`information matches the authentication information. The
`cookie may contain user pro?le information, user authenti
`cation information, or a list of netWork servers previously
`visited by the user.
`
`10
`
`15
`
`25
`
`35
`
`45
`
`55
`
`65
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 illustrates an exemplary netWork environment in
`Which the present invention is utiliZed.
`
`Facebook and WhatsApp Exhibit No. 1007
`Page 8
`
`

`
`US 6,584,505 B1
`
`3
`FIG. 2 is a block diagram showing pertinent components
`of a computer in accordance With the invention.
`FIGS. 3 and 4 illustrate the interaction betWeen the client
`computer system, a particular af?liate server and the authen
`tication server When a user of the client computer system
`seeks access to the af?liate server.
`FIGS. 5 and 6 illustrate the interaction betWeen the client
`computer system, a particular af?liate server and the authen
`tication server in a different situation.
`
`DETAILED DESCRIPTION
`
`FIG. 1 illustrates an exemplary netWork environment in
`Which the present invention is utiliZed. A client computer
`system 100 is coupled to a netWork 102. In this example,
`netWork 102 is the Internet (or the World-Wide Web).
`HoWever, the teachings of the present invention can be
`applied to any data communication netWork. Multiple affili
`ate servers 104, 106, and 108 are coupled to netWork 102,
`thereby alloWing client computer system 100 to access Web
`servers 104, 106, and 108 via the netWork. Af?liate servers
`104, 106, and 108 are also referred to as “Web servers” and
`“network servers”. An authentication server 110 is also
`coupled to netWork 102, alloWing communication betWeen
`the authentication server and client computer system 100
`and Web servers 104, 106, and 108. Although referred to as
`an “authentication server”, authentication server 110 is also
`a Web server capable of interacting With Web broWsers and
`other Web servers. In this example, data is communicated
`betWeen the authentication server, client computer system,
`and Web servers using the hypertext transfer protocol (http),
`a protocol commonly used on the Internet to exchange
`information.
`An authentication database 112 is coupled to authentica
`tion server 110. The authentication database 112 contains
`information necessary to authenticate users and also identi
`?es Which elements of the user pro?le information should be
`provided to a particular af?liate server When the user
`accesses the af?liate server. Although the authentication
`database 112 is shoWn separately from the authentication
`server 110, in other embodiments of the invention, the
`authentication database is contained Within the authentica
`tion server.
`The authentication process, as described beloW, authen
`ticates a user of client computer 100 seeking access to an
`af?liate server 104, 106, or 108. The authentication server
`110 authenticates the user of client computer 100 by request
`ing authenticating information, such as the user’s login ID
`and passWord. If the user is successfully authenticated, then
`authentication server 110 noti?es the appropriate affiliate
`server that the user is authenticated. As part of the user
`authentication process, the authentication server 110 may
`provide certain user pro?le information to the af?liate
`server, such as the user’s email address, user preferences,
`and the type of Internet broWser installed on client computer
`100. This user pro?le information is associated With the
`user’s login ID so that each time the user logs into an af?liate
`server, the associated user pro?le information is available to
`provide to the af?liate server. This user pro?le alloWs the
`user to enter the information once and use that information
`during subsequent logins to neW af?liate servers.
`The term “af?liate server” is de?ned herein as a Web
`server that has “registered” or otherWise established a rela
`tionship or af?liation With the authentication server 110.
`Each af?liate server 104, 106, and 108 includes a code
`sequence (not shoWn) that alloWs the af?liate server to
`communicate With the authentication server 110 When a user
`
`10
`
`15
`
`25
`
`35
`
`45
`
`55
`
`65
`
`4
`(Who is also registered With the authentication server)
`requests access to the af?liate server. Additional details
`regarding the authentication process and the interaction
`betWeen the client computer, the af?liate servers, and the
`authentication server are provided beloW.
`FIG. 2 shoWs a general example of a computer 130 that
`can be used With the present invention. A computer such as
`that shoWn in FIG. 2 can be used for client computer system
`100, authentication server 110, or any of the af?liate servers
`104, 106 or 108.
`Computer 130 includes one or more processors or pro
`cessing units 132, a system memory 134, and a bus 136 that
`couples various system components including the system
`memory 134 to processors 132. The bus 136 represents one
`or more of any of several types of bus structures, including
`a memory bus or memory controller, a peripheral bus, an
`accelerated graphics port, and a processor or local bus using
`any of a variety of bus architectures. The system memory
`134 includes read only memory (ROM) 138 and random
`access memory (RAM) 140. A basic input/output system
`(BIOS) 142, containing the basic routines that help to
`transfer information betWeen elements Within computer 130,
`such as during startup, is stored in ROM 138.
`Computer 130 further includes a hard disk drive 144 for
`reading from and Writing to a hard disk (not shoWn), a
`magnetic disk drive 146 for reading from and Writing to a
`removable magnetic disk 148, and an optical disk drive 150
`for reading from or Writing to a removable optical disk 152
`such as a CD ROM or other optical media. The hard disk
`drive 144, magnetic disk drive 146, and optical disk drive
`150 are connected to the bus 136 by an SCSI interface 154
`or some other appropriate interface. The drives and their
`associated computer-readable media provide nonvolatile
`storage of computer-readable instructions, data structures,
`program modules and other data for computer 130. Although
`the exemplary environment described herein employs a hard
`disk, a removable magnetic disk 148 and a removable
`optical disk 152, it should be appreciated by those skilled in
`the art that other types of computer-readable media Which
`can store data that is accessible by a computer, such as
`magnetic cassettes, ?ash memory cards, digital video disks,
`random access memories (RAMs), read only memories
`(ROMs), and the like, may also be used in the exemplary
`operating environment.
`A number of program modules may be stored on the hard
`disk 144, magnetic disk 148, optical disk 152, ROM 138, or
`RAM 140, including an operating system 158, one or more
`application programs 160, other program modules 162, and
`program data 164. A user may enter commands and infor
`mation into computer 130 through input devices such as a
`keyboard 166 and a pointing device 168. Other input devices
`(not shoWn) may include a microphone, joystick, game pad,
`satellite dish, scanner, or the like. These and other input
`devices are connected to the processing unit 132 through an
`interface 170 that is coupled to the bus 136. A monitor 172
`or other type of display device is also connected to the bus
`136 via an interface, such as a video adapter 174. In addition
`to the monitor, personal computers typically include other
`peripheral output devices (not shoWn) such as speakers and
`printers.
`Computer 130 commonly operates in a netWorked envi
`ronment using logical connections to one or more remote
`computers, such as a remote computer 176. The remote
`computer 176 may be another personal computer, a server,
`a router, a netWork PC, a peer device or other common
`netWork node, and typically includes many or all of the
`
`Facebook and WhatsApp Exhibit No. 1007
`Page 9
`
`

`
`US 6,584,505 B1
`
`5
`elements described above relative to computer 130, although
`only a memory storage device 178 has been illustrated in
`FIG. 2. The logical connections depicted in FIG. 2 include
`a local area network (LAN) 180 and a wide area network
`(WAN) 182. Such networking environments are common
`place in offices, enterprise-wide computer networks,
`intranets, and the Internet.
`When used in a LAN networking environment, computer
`130 is connected to the local network 180 through a network
`interface or adapter 184. When used in a WAN networking
`environment, computer 130 typically includes a modem 186
`or other means for establishing communications over the
`wide area network 182, such as the Internet. The modem
`186, which may be internal or external, is connected to the
`bus 136 via a serial port interface 156. In a networked
`environment, program modules depicted relative to the
`personal computer 130, or portions thereof, may be stored in
`the remote memory storage device. It will be appreciated
`that the network connections shown are exemplary and other
`means of establishing a communications link between the
`computers may be used.
`Generally, the data processors of computer 130 are pro
`grammed by means of instructions stored at different times
`in the various computer-readable storage media of the com
`puter. Programs and operating systems are typically
`distributed, for example, on ?oppy disks or CD-ROMs.
`From there, they are installed or loaded into the secondary
`memory of a computer. At execution, they are loaded at least
`partially into the computer’s primary electronic memory.
`The invention described herein includes these and other
`various types of computer-readable storage media when
`such media contain instructions or programs for implement
`ing the steps described below in conjunction with a micro
`processor or other data processor. The invention also
`includes the computer itself when programmed according to
`the methods and techniques described below.
`For purposes of illustration, programs and other execut
`able program components such as the operating system are
`illustrated herein as discrete blocks, although it is recog
`niZed that such programs and components reside at various
`times in different storage components of the computer, and
`are executed by the data processor(s) of the computer.
`Prior to executing the authentication process described
`below, both the user of client computer system 100 and the
`operator of affiliate server 104 “register” with the authenti
`cation server 110. This registration is a one-time process
`which provides necessary information to the authentication
`server. The user of client computer system 100 registers by
`providing the user’s name, mailing address, email address,
`and various other information about the user or the client
`computer system. As part of the user registration process, the
`user is assigned (or selects) a login ID, which is a common
`login ID used to access any af?liate server. The login ID may
`also be referred to herein as a “user name” or “login name”.
`Additionally, the user selects a password associated with the
`login ID which is used for authentication purposes. After
`registering and logging into the authentication server, the
`user can visit any af?liate server (i.e., af?liate servers that are
`also registered with the same authentication server) without
`requiring any additional authentication and without
`re-entering user information that is already contained in the
`user pro?le.
`The operator of affiliate server 104 registers with the
`authentication server 110 by providing information about the
`affiliate server (e.g., server name and internet address).
`Additionally, the affiliate server provides information
`
`10
`
`15
`
`25
`
`35
`
`45
`
`55
`
`65
`
`6
`regarding its authentication requirements. The authentica
`tion requirements can be speci?ed as the maximum time
`allowed since the last login and entry of authentication
`information by the user as well as the maximum time
`allowed since the last “refresh” of the authentication infor
`mation by the user. Refreshing the authentication informa
`tion refers to the process of having the user re-enter the
`password to be certain that the appropriate user is still
`operating the client computer system. This periodic refresh
`ing of authentication information is useful if the user leaves
`their computer system without logging out of the authenti
`cation server, thereby allowing another individual to access
`af?liate servers using the login ID of the previous user. If a
`user requests access to the affiliate server after the maximum
`time allowed, then the user is re-authenticated (i.e.,
`refreshed) by the authentication server. Thus, although there
`is a central authentication server, each individual af?liate
`server can establish its own authentication requirements
`which are enforced by the authentication server. After reg
`istering with the authentication server, the affiliate server can
`use the authentication server to authenticate any user that
`has also registered with the authentication server.
`FIGS. 3 and 4 illustrate the interaction between the client
`computer system 100, the affiliate server 104, and the
`authentication server 110 when a user of the client computer
`system seeks access to the affiliate server. The example
`illustrated with respect to FIGS. 3 and 4 describes the
`situation in which the user of the client computer system 100
`has not yet logged into the affiliate server 104 and has not yet
`been authenticated by the authentication server 110. The
`lines in FIG. 3 labeled “A” through “H” represent the ?ow
`of information or activities during the authentication pro
`cess. The arrows on the lines indicate the direction of the
`process ?ow. The label “A” represents the beginning of the
`process and the label “H” represents the end of the process.
`The corresponding steps in FIG. 4 are indicated with the
`label in parenthesis.
`FIG. 4 is a ?ow diagram illustrating the authentication
`process when a user of the client computer system 100 seeks
`access to the affiliate server 104. The process begins when
`the user of the client computer system accesses a web page
`on the affiliate server (step 200). The client computer system
`includes a web browser, such as the “Internet Explorer” web
`browser manufactured and distributed by Microsoft Corpo
`ration of Redmond, Washington, for accessing various web
`sites. The af?liate server determines whether the user seek
`ing access to the server is already logged into the affiliate
`server (e.g., authenticated) at step 202. In this example, the
`user is not logged into the affiliate server, so the user must
`be authenticated before the affiliate server will allow access.
`To authenticate the user, the affiliate server redirects the
`user’s browser to the authentication server.
`In this example, the user has not yet logged into the
`authentication server. Thus, the authentication server gen
`erates a sign-in web page and communicates the web page
`to the client computer system for display on the user’s
`browser (step 204). The sign-in web page requests the user’s
`login ID and password, which were established when the
`user registered with the authentication server. The user
`?lls-in the requested information on the sign-in web page
`and clicks a “sign-in” button on the web page to send the
`information entered to the authentication server (step 206).
`Upon receiving the information from the user of the client
`computer system, the authentication server compares the
`entered information with the information stored in the
`authentication database (step 208). If the user-entered infor
`mation is not correct (i.e., does not match the information
`
`Facebook and WhatsApp Exhibit No. 1007
`Page 10
`
`

`
`US 6,584,505 B1
`
`7
`stored in the authentication database) then the authentication
`server generates and communicates a Web page to the user
`indicating the login ID and passWord combination Were not
`valid (step 210). The Web page may give the user an
`opportunity to re-enter the login ID and passWord by return
`ing to step 204. Con?dential information (such as the login
`ID and passWord) is communicated using a secure protocol
`such as SSL (secure sockets layer). Various other secure
`protocols or encryption mechanisms can be used to com
`municate con?dential information betWeen the authentica
`tion server and the client computer system.
`If the user-entered information is correct (i.e., matches the
`information stored in the authentication database) then the
`authentication server copies the appropriate cookies to the
`client computer system and redirects the user’s broWser to
`the af?liate server (step 212). A “cookie” is a piece of data
`provided to a Web broWser by a Web server. The data (i.e.,
`cookie) is sent back to the Web server by the Web broWser
`during subsequent accesses to the Web server. With respect
`to step 212, one cookie contains information regarding the
`date and time that the user Was authenticated by the authen
`tication server. Another cookie contains information regard
`ing the user pro?le. The authentication server also updates
`(or creates) a cookie that contains a list of all sites (or Web
`servers) visited by the user since the last logout from the
`authentication server. The cookie is updated by adding the
`current af?liate server to the list of sites visited. This list of
`sites visited is used to remove cookies from the client
`computer system When the user logs out of the authentica
`tion server. For example, When the user logs out, the
`authentication server sends a message to each Web server on
`the list of sites visited. Each message is a request for the Web
`server to delete any cookies it placed on the client computer
`system (e.g., through a broWser running on the client com
`puter system).
`Cookies Written to the client computer system by the
`authentication server cannot be read by any af?liate server.
`Similarly, cookies Written to the client computer system by
`a particular af?liate server cannot be read by any other
`af?liate server. The cookies Written by an af?liate server are
`encrypted using a key that is unique to the af?liate server,
`thereby preventing other af?liate servers from reading the
`data stored in the cookies.
`The authentication server also communicates the user
`pro?le information to the af?liate server (step 214) through
`the client computer system. In a particular embodiment of
`the invention, the user of the client computer system can
`specify, during the registration process What types of pro?le
`information should be provided to various types of Web
`servers. For example, a user may specify that all commerce
`related Web servers should receive the user’s mailing
`address, but restrict the mailing address from all other types
`of Web sites.
`After receiving the user’s pro?le information, the affiliate
`server generates a personaliZed Web page for the user and
`communicates the Web page to the user’s broWser (step 216).
`Additionally, the af?liate server copies one or more cookies
`to the client computer system Which include information
`indicating that the user of the client computer system has
`been authenticated and indicating the period of time during
`Which the authentication is valid. Each time the u