`(12) Patent Application Publication (10) Pub. No.: US 2004/0059941A1
`(43) Pub. Date:
`Mar. 25, 2004
`Hardman et al.
`
`US 2004.0059941A1
`
`(54) SYSTEMS AND METHODS FOR
`IDENTIFYING USERS AND PROVIDING
`ACCESS TO INFORMATION IN A
`NETWORK ENVIRONMENT
`(75) Inventors: Todd Hardman, Orem, UT (US);
`James Ivie, Lindon, UT (US); Michael
`Mansfield, Lindon, UT (US); Greg
`Parkinson, Orem, UT (US); Daren
`Thayne, Orem, UT (US); Mark
`Wolfgramm, Provo, UT (US); Michael
`Wolfgramm, Pleasant Grove, UT (US);
`Brant Redd, Provo, UT (US)
`Correspondence Address:
`TOWNSEND AND TOWNSEND AND CREW,
`LLP
`TWO EMBARCADERO CENTER
`EIGHTH FLOOR
`SAN FRANCISCO, CA 94111-3834 (US)
`(73) Assignee: My Family.com, Inc., Orem, UT
`
`(21) Appl. No.:
`(22) Filed:
`
`10/247,806
`Sep. 19, 2002
`Publication Classification
`
`(51) Int. Cl." ....................................................... H04L 9/00
`(52) U.S. Cl. .............................................................. 713/201
`
`(57)
`ABSTRACT
`Systems and methods for providing functions from a central
`facility on a computer network. One function facilitated
`includes authentication and authorization of users requesting
`access to a web server accessible via the communication
`network. Such authorization and authentication includes
`transferring a request for access from a content Server to the
`central facility and authorizing the request from the central
`facility. Results of the authorization are communicated to the
`content Server which displays the results of the request to the
`user by either allowing acceSS or displaying a message
`describing a denied request.
`
`
`
`ty
`
`S.
`
`CELLSPIN
`EX. 2029, Page 1
`
`
`
`Patent Application Publication Mar. 25, 2004 Sheet 1 of 3
`
`US 2004/0059941 A1
`
`
`
`) e )
`
`s
`
`3.
`
`CELLSPIN
`EX. 2029, Page 2
`
`
`
`Patent Application Publication Mar. 25, 2004 Sheet 2 of 3
`
`US 2004/0059941 A1
`
`
`
`2-d
`
`CELLSPIN
`EX. 2029, Page 3
`
`
`
`Patent Application Publication Mar. 25, 2004 Sheet 3 of 3
`
`US 2004/0059941 A1
`
`20)
`
`
`
`Authentication
`Needed
`
`
`
`
`
`
`
`
`
`3D
`Login Form
`CUSerrane
`< Passwords
`
`
`
`
`
`
`
`Forgot Password
`
`3. 3rs
`Cautht
`f= Login
`
`
`
`
`
`
`
`312
`
`
`
`
`
`
`
`
`
`
`
`29
`4.
`Create Account Form
`< USernate?
`< PasswordP
`FirstName LastName ...
`
`
`
`
`
`
`
`
`
`
`
`5. 52s
`CuSef
`f=CreateUser
`
`OnOk
`
`3e
`6.
`Forgot Password Form Submit
`
`
`
`
`
`
`
`<USenate?
`kEM ai>
`
`7. 3S
`ass
`cautht
`f= Email Login
`
`
`
`3.
`Email Sent Page
`
`
`
`- ?
`
`9. 3's
`eMail Message
`(htx template)
`
`
`
`
`
`
`
`
`
`3Se
`10.
`Set Password Form
`<New Password
`
`
`
`
`
`11. ass
`c=autht
`f=UpdateUNPW
`
`a
`Post-Raminder
`Home Page
`
`CELLSPIN
`EX. 2029, Page 4
`
`
`
`US 2004/0059941 A1
`
`Mar. 25, 2004
`
`SYSTEMS AND METHODS FOR IDENTIFYING
`USERS AND PROVIDING ACCESS TO
`INFORMATION IN A NETWORK ENVIRONMENT
`
`CROSS-REFERENCES TO RELATED
`APPLICATIONS
`0001. This application is being filed concurrently with
`related U.S. patent application Ser. No.
`(Attorney
`Docket Number 019404-000720US), entitled “SYSTEMS
`AND METHODS FOR STORING AND RETRIEVING
`DATA IN A WEB SERVER ENVIRONMENT and U.S.
`patent application Ser. No.
`(Attorney Docket Num
`ber 019404-000730US), entitled “SYSTEMS AND METH
`ODS FOR PARTITIONING DATAON MULTIPLE SERV
`ERS' which are incorporated herein by reference for all
`purposes.
`
`BACKGROUND OF THE INVENTION
`0002 This invention relates in general to systems and
`methods for accessing information from a network acces
`sible web server. More specifically, this invention relates to
`Systems and methods for authorizing and authenticating
`users requesting access to a web server. Yet further, the
`invention provides Systems and methods for facilitating
`functions provided by a central Service on a network.
`0003) Authorization and authentication are typically per
`formed whenever access to a Secure web server on a network
`is requested. In general, Such authorization and authentica
`tion involves, querying a user for a user name (ID) and
`password, determining the identity of the user from the
`queried information, and providing the user with access to a
`network web server consistent with the user's rights. Upon
`authentication and authorization, the user is free access the
`web server associated with the network device.
`0004. This relatively simple approach requires that a user
`be authenticated and authorized for each Secure web server
`which the user accesses. Thus, for example, a user wishing
`to access a Second Web Server must again be authenticated
`and authorized before access to the web server is allowed.
`This redundancy is useful where a user's access is funda
`mentally different to the first and second web servers.
`However, where the two web servers recognize the same
`user for the same purposes, Such redundancy is wasteful.
`0005 One simple solution to eliminate redundancy is to
`authenticate and authorize a user to access two or more web
`Servers while providing only a single ID and password. For
`example, a user can be queried when accessing a first web
`Server and upon authentication and authorization can be
`issued a “cookie' which indicates that the user is authorized
`to access other related web servers identified by the cookie.
`Such methods work well when both web servers share first
`and second level domain names. However, where the first or
`Second level domain names are dissimilar, the method will
`not work.
`0006. In some instances, web server owners provide
`authorization and authentication via a central authorization
`facility often operated by a third party. Thus, for example,
`when a user accesses a requested Web Server, the user is
`redirected to the central authorization facility which queries
`the user for an ID and a password. Upon authorizing the
`user, the central authorization facility displays a message
`
`indicating Status of any authentication and/or authorization.
`After displaying the message, the central facility redirects
`the user back to the requested Web Server.
`0007. In such a system, a user desiring access to a second
`Web Server is similarly redirected to the central authorization
`facility before access to the second web server is allowed.
`Thus, traffic to the central authorization Server is very high.
`This is particularly inefficient where the user's access to both
`the first and the second web servers is identical.
`0008. In addition to the inefficiencies, confusing mes
`Sages are often displayed to users when access to a web
`Server is denied due to either failure of authentication or
`authorization. Such messages are displayed to the user by
`the central authorization facility. The messages are confus
`ing because they do not reference the requested Web Server,
`but rather reference the central authorization facility. Such
`messages are particularly confusing to a user that is not
`aware that they were being redirected for authentication and
`authorization. In addition to confusing the user, a certain
`level of brand dilution results from displaying characteristics
`of the central authorization facility rather than the requested
`web server.
`0009. To avoid this confusion and brand dilution, many
`Web Server owners require the central authorization facility
`to display a failure message designed by the Web Server
`owner. While this alleviates problems with confusion and
`brand dilution, it is cumbersome and labor intensive. Fre
`quently, providers of the central authorization facility use
`different tools to author and host their web pages than
`providers of an associated web server. So, providers of the
`Web Server must learn to author using different tools. In
`addition, whenever a design change is made to the web
`Server, matching changes must be made on the pages Served
`by the central authorization facility.
`0010 Thus, there exists a need in the art for systems and
`methods for providing third party Services, which are trans
`parent to the user. In addition, there exists a need in the art
`for Systems and methods for providing a one time authori
`Zation and access to a family of Web Servers.
`
`BRIEF SUMMARY OF THE INVENTION
`0011. The present invention provides systems and meth
`ods for using functions available from a central facility in
`communication with a computer network. In Some embodi
`ments, the functions provided by the central facility include
`authenticating a user requesting access to a web server. In
`other embodiments, the functions provided by the central
`facility include authorizing the user. In addition to authen
`ticating and authorizing a requesting user, the Systems and
`methods of the present invention are applicable to a number
`of other functions provided by a central facility.
`0012 One embodiment of the present invention includes
`methods for providing functions from a central facility
`asSociated with a computer network. The methods include
`receiving a request to access a content Server. The content
`Server refers at least a portion of the request to the central
`facility, which executes the request. The results of the
`execution are indicated to the content Server, which in turn
`displays the results of the request. Because the content
`Server generates the displayed message, any changes to the
`message can be made without accessing the central facility.
`
`CELLSPIN
`EX. 2029, Page 5
`
`
`
`US 2004/0059941 A1
`
`Mar. 25, 2004
`
`Further, by generating the message from the content Server,
`brand dilution is eliminated without the complexity and
`expense associated with maintaining and updating displayS
`on the central facility.
`0013 In some embodiments, the function performed by
`the central facility is an authentication function. Such a
`function can include comparing a user name and password
`with a known user name and password maintained at the
`central facility. The authentication function can authenticate
`a user to access two or more Servers each associated with
`different Second-level domain names. Such authentication
`reduces traffic to the central facility and eliminates the need
`for a user or device to be authenticated for each Server
`individually.
`0.014) Another embodiment of the present invention
`includes a System for providing web server related functions
`via a central facility. The System includes at least two web
`Servers connected to a central facility via a computer net
`work. In the System, a message indicating failure of a
`function performed by the central facility is maintained on
`one of the Web Servers and another message indicating
`failure of a function performed by the central facility is
`maintained on the other web server. In this way, brand
`identity associated with the first and the second web servers
`can be maintained without providing failure messages to the
`central facility.
`0.015 Yet another embodiment of the present invention
`includes a method for authenticating a user to a computer in
`communication with a computer network. The method
`includes receiving an access request at a first content server.
`The access request is referred to a central facility where the
`request is executed. A response to the executed request is
`received and indicated in the form of a cookie associated
`with first content server and in the form of a cookie
`asSociated with the central facility.
`0016. In some embodiments, the first content server is
`asSociated with a first domain name and the Second content
`Server is associated with a Second domain name. A Second
`level of both the first and the second domain names are
`different.
`0.017. These and other embodiments of the present inven
`tion are described in more detail in conjunction with the text
`below and attached figures.
`BRIEF DESCRIPTION OF THE DRAWINGS
`0.018. A more complete understanding of the present
`invention may be derived by referring to the detailed
`description and claims when considered in connection the
`figures, wherein like reference numbers refer to Similar
`items throughout the figures, and:
`0019 FIG. 1 illustrates a web server environment
`according to the present invention;
`0020 FIG. 2 illustrates a flow diagram describing
`authentication using a central facility according to the
`present invention; and
`0021
`FIG. 3 illustrates a flow diagram of an embodiment
`of the present invention used in relation to a variety of
`aspects related to a user login.
`DETAILED DESCRIPTION OF THE
`INVENTION
`0022. The present invention provides systems and meth
`ods for using functions available from a central facility in
`
`communication with a computer network. In Some embodi
`ments, the functions provided by the central facility include
`authenticating a user requesting access to a web server. In
`other embodiments, the functions provided by the central
`facility include authorizing the user to access portions of a
`particular web server. In addition to authenticating and
`authorizing a requesting user, the Systems and methods of
`the present invention are applicable to a number of other
`functions provided by a central facility. Such additional
`functions can include, but are not limited to, updating a
`user's information on the System and creating new users on
`the System.
`0023) A fundamental advantage of the World-Wide Web
`over predecessor online Services is the opportunity to link
`from content on one web site to content on another. A new
`trend on the Internet is to use these same facilities to
`integrate Services on the Internet. For example, email Ser
`vices for a web site might be outsourced to a vendor that
`Specializes in providing email Services.
`0024 AS services like these are outsourced, they must be
`privately branded So that the user has a consistent experi
`ence. Even though Services may be Sourced from different
`hosting centers in different places, the integration should
`appear as one Service to the user. This invention provides
`Systems and methods related to manage and provide web
`pages under pseudo control of a central facility. The present
`invention advantageously allows the provider of a web
`Server using a central facility to author messages associated
`with the central facility using the same tools used for its own
`web server pages. Additionally, the present invention allows
`a provider of a web server greater control over a user's
`experience with the web server.
`0025. It will be appreciated by one of ordinary skill in the
`art that the Systems and methods of the present invention can
`be used in relation to various outsourced functions includ
`ing, but not limited to, Stock quotes, authorization requests,
`authentication requests, registration for events or Services,
`and status inquiries (e.g., email messages received). The
`present invention can be used in relation to outsourced
`functions for either human users or devices capable of
`communicating with a central facility. For example, Systems
`and methods of the present invention can be used to update
`information related to a Scanner which can be used to upload
`pictures to a web server.
`0026. For the purposes of this document, authentication
`is a process whereby the identity of a user and/or device is
`acknowledged. Thus, as a simple example, authenticating
`may involve receiving an ID and a password from a user and
`using the received information to determine the identity of
`the user. Once a user is authenticated, the user can then be
`authorized. Such authorization includes identifying rights
`which a user has to access a particular web server. For
`example, a user can be authorized to both read and write a
`database associated with one web server, while only being
`authorized to read a database associated with another web
`SCWC.
`0027. Also, for purposes of this document, a Uniform
`Resource Locator (URL) is the address of a page or program
`on the World-Wide Web. For example, the URL for Yahoo
`is “http://www.yahoo.com'. The most common forms of
`URLs include a protocol (indicating the way to communi
`cate), a host name (indicating the name of the computer to
`
`CELLSPIN
`EX. 2029, Page 6
`
`
`
`US 2004/0059941 A1
`
`Mar. 25, 2004
`
`access), a path (indicating the resource) and an optional
`query string (indicating information to be Supplied to the
`resource). For example: "http://www.myfamily.com/ex
`ec?c=site&htx=main”. In this example the protocol is “http',
`the host name is “www.myfamily.com', the path is “/exec'
`and the query String is “c=Site&htX=main'.
`0028. HyperText Markup Language (HTML) is the lan
`guage used for marking up text for display as a page on the
`world-wide web. It consists of text with embedded markup
`tags. A “form' is a special type of web page. Like all web
`pages it is marked up in HTML. But, a form includes Special
`tags that allow the user to enter or Select information. For
`example, it might include a text entry field into which a user
`enters their name, or it might include buttons to Select
`among a Set of options.
`0029) HyperText Transfer Protocol (http) is the protocol
`that Web Browser programs (also known as User Agents)
`use to communicate with Web Servers on the Internet. In a
`typical interaction, the browser requests a page at a URL and
`the web server returns the corresponding HTML page.
`0030) A request in the HTTP protocol can be made in a
`number of different ways, but the most common methods are
`“GET" and “POST". In a GET request, the browser simply
`provides the URL as above. Alternatively, in a POST
`request, the browser Supplies the URL and additional infor
`mation, Such as a user name and password appended to the
`URL. In most cases, the additional information is informa
`tion that a user entered into an HTML form.
`0031. In general, when a web server receives a request, it
`Sends back a response. Such responses can start with a
`response code, such as, the number 200, which indicates that
`the request was Successful. In addition, the response usually
`includes an English-language comment Such as “OK”,
`which is generally ignored by the browser. The balance of
`the response is typically an HTML web page.
`0032) Another common response is a redirect. Common
`redirect responses begin with response codes 302 or 303.
`Such redirect responses include a new URL indicating that
`the browser should make a new request to the Specified
`URL. Redirect responses are often used with POST requests.
`Thus, when a web server receives a POST request, it
`generally processes the form data that was sent in the request
`and Subsequently returns a redirect response to direct the
`browser to the next page a user should See.
`0033. This method is very convenient for web program
`mers. In a typical configuration, the Web Server executes a
`special program, called a CGI, when it receives a POST
`request. If a redirect is not used, the CGI program must
`process the form data and it must render the new web page.
`With a redirect, the CGI can process the form and let the new
`web page be Supplied by conventional means.
`0034 FIG. 1 illustrates an embodiment of a web server
`environment 100 comprising a content server 110, a content
`server 120, a central facility 130 and an access device 150.
`Each of the content servers 110, 120, central facility 130 and
`access device 150 are in communication with a network 140.
`Access device 150 can include a display 152, a database 154
`and a data entry device 156.
`0035) In one particular embodiment, network 140 is the
`Internet and access device 150 is a personal computer (PC)
`
`comprising an Internet Browser (not shown) for communi
`cating via network 140. In Some embodiments, content
`servers 110, 120 and central facility 130 are web servers
`which include both Software and hardware components
`necessary for communicating acroSS network 140. Of
`course, one of ordinary skill in the art will recognize that the
`present invention is applicable to a number of environments.
`For example, the present invention is applicable to a virtual
`private network comprising content Server 110, central facil
`ity 130 and access device 150 in communication with
`network 140.
`0036) The systems and methods of the present invention
`are Suited to communication between content Servers 110,
`120, central facility 130 and access device 150. In an
`embodiment, Such Systems and methods provide for appli
`cation Software running on access device 150, Such as a
`photo uploader, to access content servers 110, 120 and
`upload a desired photograph. Prior to accessing content
`servers 110, 120 a user associated with access device 150 is
`authenticated to content servers 110, 120 and/or authorized
`to access the desired content Server.
`0037 Such authentication and/or authorization is pro
`vided by way of a Central Authentication Protocol (CAP)
`according to the present invention. In Some embodiments of
`the present invention, both authentication and authorization
`are performed according to the CAP. In other embodiments,
`only authentication or authorization is performed according
`to the CAP. In one particular embodiment, authentication is
`performed according to the CAP, while content servers 110,
`120 each individually perform authorization. Embodiments
`of the CAP are described in relation to FIGS. 2 and 3.
`0038 FIG. 2 illustrates an embodiment of the CAP
`according to the present invention. In the embodiment, a
`request to access content server 110 is received (step 210).
`The request for access can be received from access device
`150, or from another server, Such as content server 120. In
`one embodiment, the request is initiated by a user viewing
`a web page, Such as, www.hypotheticalONE.com/home
`maintained on content server 110. Wishing to log in, the user
`Selects a link marked "login' on the page.
`0039. In response to the request for access (step 210),
`content server 110 transfers the request to central facility
`130 by redirecting the user to the URL for the “login” page
`of central facility 130. For example, a user can be directed
`to the following exemplary URL:
`0040 http://www.central facility.com/login.c-
`gi?onok=
`http%3A%2F%2Fwww.hypotheticalONE.com%
`2Fmain&onfail=
`http%3A%2F%2Fwww.hypotheticalONE.com
`%2Flogin.
`0041. In this example, the user is directed to the “login”
`page of www.centralfacility.com which is maintained on
`central facility 130. Once at central facility 130, the user is
`authenticated. Embedded within the exemplary URL are two
`additional URLs specified within the query string. The
`“onok URL, www.hypotheticalONE.com/main,
`0042 is the page to which the browser should be sent
`upon Successful authentication. Alternatively, the “onfail”
`URL, www.hypotheticalONE.com/login is the page to
`which the browser should be sent if authentication fails. In
`the embedded URLS, the Special characters, colon and Slash,
`
`CELLSPIN
`EX. 2029, Page 7
`
`
`
`US 2004/0059941 A1
`
`Mar. 25, 2004
`
`are replaced by “%3A” and “%2F" respectively. This is
`known as “URL encoding” and is a standard method used
`when passing data in URLS to avoid ambiguity on how a
`character should be interpreted. It should be recognized by
`one of ordinary skill in the art that other forms of URL
`encoding and/or embedded URLS can be used according to
`the present invention.
`0043. In the situation where the user has previously
`logged in to the Server, central facility 130 automatically
`redirects the user to the “onok URL where the user is then
`allowed to access content server 110. As discussed below, in
`Some embodiments a user's prior login is indicated by a
`cookie resident on the user's database 154. Advantageously,
`a user who has been previously authenticated by central
`facility 130 can be automatically authenticated for another
`content Server. For example, a user who previously logged
`into content Server 120 can be automatically authenticated to
`access content server 110.
`0044) In the situation where the user has not previously
`logged in, the browser is redirected to the “onfail” URL. In
`the exemplary URL, the “onfail” URL is a login page
`maintained on content server 110. Thus, the user is prompted
`for login information by a message displayed to the user
`from content Server 110. Advantageously, the user Sees a
`message displayed from content Server 110 and not from
`central facility 130. This allows the provider of content
`server 110 to avoid brand dilution and eliminates confusion
`resulting from a user being denied access by a foreign
`central facility 130.
`0.045. In addition to redirecting the user's browser to the
`“onfail” URL, central facility 130 can add information to the
`query string of the “onfail” URL which indicates why the
`user is being returned to the "login' page. For example,
`central facility 130 can add a message “please enter your
`user name and password”. Content Server 110 can incorpo
`rate this information in a message presented to the user or
`ignore the information and present another message.
`0046. In some embodiments, the message associated with
`the “onfail” URL queries the requesting user or device for
`identification information. For example, in Some embodi
`ments, content Server 110 displays a data entry interface or
`form on display 152 requesting a user name and password.
`In Some embodiments, the requested identification informa
`tion is passed from a browser resident on access device 150
`to central facility 130 (step 220). Alternatively, in other
`embodiments, the requested identification information is
`passed to content server 110 which in turn passes the
`information to central facility 130 (step 220).
`0047 The request is executed by central facility 130 (step
`230). Where a user entered incorrect identification informa
`tion, the user can be automatically redirected back to the
`login page where a message indicating the failed attempt is
`displayed (step 270) and where the user can be prompted to
`re-enter the identification information (step 280). Thus, for
`example, the user could be redirected to the “onfail” URL,
`www.hypotheticalONE.com/login. In some embodiments,
`central facility 130 redirects the user's browser to the
`“onfail” URL and additionally includes a query String, Such
`as, “code=badpassword” appended to the “onfail” URL. The
`message displayed to the user by content Server 110 may use
`the query String to tailor a message to the user's particular
`needs. For example, based on the query String, content
`
`server 110 may display the message “Invalid user name or
`password. Please try again.” The following is an example of
`such an “onfail URL with an added query string:
`0048 www.clientapp.com/login.html?code=bad
`password.
`0049. Where execution of the request (step 230) finds that
`the user entered a correct user name and password, the user
`is automatically redirected to the “onok' URL, www.hypo
`theticalONE.com/main (step 260). An Authentication Token
`(ATT) is passed to content Server 110 as a query String
`embedded in the “onok URL. Based on the ATT, the user
`is granted access to content server 110. In addition, the ATT
`is written as a cookie to database 154.
`0050. The ATT can be string of characters that encode
`binary information which indicates the Successful authenti
`cation. For example, the ATT may be the string “ABC123”
`which is written as a cookie to database 154 and appended
`to the “onok' URL. Thus, the “onok' URL is www.hypo
`theticalONE.com/main.html?credential=ABC123.
`Upon
`reception of the ATT, content server 110 displays the main
`information page to at display 152 (step 260).
`0051. In some embodiments, upon receiving the ATT as
`an appended query String, content Server 110 writes the ATT
`as a cookie to database 154. With the cookie in place on
`database 154, the user does not need to be authenticated for
`Subsequent accesses to content Server 110. Additionally, the
`cookie allows the user to access other content Servers which
`share common first and Second level domain names with
`content server 110. Thus, for example, where the URL for
`content server 120 is sales.hypotheticalONE.com, a user
`authenticated to access content server 110 (URL www.hy
`potheticalONE.com) would also be authenticated to access
`content server 120.
`0052 Because the ATT is also issued as a cookie by
`central facility 130, the user is additionally authenticated to
`central facility 130 and other content servers which share
`common first and Second level domain names with central
`facility 130. Thus, for example, where the URL for content
`server 120 is xyz.central facility.com, the cookie would
`allow the user to access content server 120.
`0053 Thus, in some embodiments, successful authenti
`cation results in a cookie associated with content Server 110
`and central facility 130 being written to database 154. These
`cookies can be queried whenever a user or device accesses
`either content server 110, central facility 130, or other
`ServerS Sharing common top level domain names to deter
`mine if authentication has been completed. These cookies
`can be either persistent or time-limited. Persistent cookies
`expire on a particular date and time and often rarely need to
`be renewed. Alternatively, Session cookies do expire after
`the occurrence of a particular event, Such as a logout. Once
`a Session cookie expires, the user is required to authenticate
`again. By maintaining Such cookies on a user's database, the
`user can be quickly and efficiently authenticated and autho
`rized to a particular Server.
`0054) Where the ATT is included in a cookie resident on
`the user or device's database, a browser will automatically
`present it to any other Server on that domain, Such as,
`www.hypotheticalONE.com or sales.hypotheticalONE.com
`and So forth. Therefore, Servers needing the identity of a user
`
`CELLSPIN
`EX. 2029, Page 8
`
`
`
`US 2004/0059941 A1
`
`Mar. 25, 2004
`
`that are on the hypotheticalONE.com domain can just check
`the cookie to determine whether the user has logged in and
`obtain the user's identity.
`0055. In addition, some embodiments of the CAP make
`use of Authorization Tokens (AZT) similar to the way ATTs
`are used. While ATTs indicate that a user is authenticated,
`the AZTS indicate which portions of a Server a user is
`authorized to acceSS and what level of access is possible.
`0056 ATTs and AZTs grant authentication and authori
`zation only for the duration of the user's browser session. In
`addition, an ATT can incorporate an expiration date and time
`after which it becomes invalid. In Some embodiments,
`cryptographic protection of an AZT incorporates a hash of a
`corresponding ATT. This ties the AZT to a particular ATT.
`Thus, if the ATT expires or is changed in any way, the AZT
`is invalidated by the absence of a valid ATT that matches the
`hash code.
`0057. In other embodiments, an AZT incorporates its
`own expiration date and time and is entirely independent of
`the presence of an ATT. Yet other embodiments involve
`ATTS and AZTS which each include the date and time of
`issuance. In Such embodiments, each client Service can
`independently set a standard for how old an ATT or AZT can
`become before it is considered expired.
`0.058. In a particular embodiment an ATT and AZT are
`protected using a Message Authentication Code (MAC) as
`described in Internet RFC 1828. A MAC is a hash value
`calculated using the contents of a message and a Secret key.
`If the contents of the message change in any way, a different
`MAC value will result. Since the MAC can only be calcu
`lated by a System possessing the Secret key, any attempt to
`manipulate the contents of the ATT or AZT will result in an
`invalid MAC value. Using a MAC, the contents of ATTs
`and/or AZTS are protected against tampering, without requir
`ing encryption. Thus, there are no legal export restrictions
`despite the fact that Strong 128-bit keys are in use.
`0059 For the ATT, the MAC value is calculated using a
`secret key and the contents of the ATT. Then the MAC value
`is appended to the end. This means that a valid ATT can only
`be calculated by a System that has a copy of the Secret key.
`0060. The AZT can also be protected by a MAC but, in
`this embodiment, the inputs to the MAC are a different
`Secret key, which incorporates the contents of the ATT and
`the AZT. The calculated MAC value is appended to the AZT.
`Thus, if the ATT changes in any way-Such as when a
`different user logs in-the AZT automatically becomes
`invalid because the calculated MAC changes.
`0061 Some embodiments use “symmetric keys”, that is,
`the System generating the MAC values uses the same keys
`as the System testing them. Alternative embodiments use
`digital Signatures which are like MACS except that they use
`the RSA public key encryption algorithm. The use of digital
`Signatures enables