Browse Prior Art Database

Disposable session ID for Web applications for Internet access capable mobile phones

IP.com Disclosure Number: IPCOM000015888D
Original Publication Date: 2002-Oct-10
Included in the Prior Art Database: 2003-Jun-21
Document File: 2 page(s) / 102K

Publishing Venue

IBM

Abstract

Disclosed is a device that provides a safer session ID for Internet access using HTTP.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 2

  Disposable session ID for Web applications for Internet access capable mobile phones

Disclosed is a device that provides a safer session ID for Internet access using HTTP.

Many Web browsers embedded in Internet-access-capable mobile phones are not capable of storing cookies or the basic authentication login information (i.e. user ID and password). In order to allow session-based applications such as shopping cart applications to establish sessions so that the shopping cart can be identified as belonging to a particular user when cookies cannot be used, one method is to embed the session IDs in the URLs. The Web server (httpd server, Web application server, proxy server, etc.) generates a session ID if a user's login is successful, and after that the user submits HTTP requests using a URL that includes the session ID. The server extracts the session ID and identifies the accessing user and the session can be established. Using this method, there are two problems:
(1) It is easier to impersonate some other user's session than when using cookies
(i) A session ID can be snooped easily, and if somebody else sends the URL with the captured session ID, it is easy for the imposter to pretend to be the proper user while the session is still active.
(ii) An attacker can generate session IDs at random until one succeeds in matching an active session.
(2) The authorized user may not realize that an intruder is using the same session.

The disclosed device avoids the above dangers as follows: * When a valid request comes, the server that implements the disclosed device generates a new session ID and sends it to the terminal. The server saves both the old session ID and this new one as valid session IDs. * If the new session ID is submitted by the terminal, the server discards the old session ID, generates a newer session ID and sends it to the terminal, saves the submitted session ID as the current old one and the newly generated one as a new valid one. * If the current old session ID is submitted from the terminal, the server discards the new session ID, generates a newer session ID and sends it to the terminal, and saves the newly generated session ID as the current new one.

The following figure shows how this works when implementing the disclosed device as a proxy server.

Proxy server

Initial request

Click a link

1

G enerates a session ID.

                   R eturns a log-in form . (A dds the session ID to m fornLog-i"A ction" U R L.)

U ser ID /passw ord

http://i.abc.com /;SesID

Identifies the accessing user using the session ID . Saves authentication data. A dds authentication data to the request header.

Inserts the session ID into the link U R Ls in the content. Saves any cookies on behalf of the client device.

Initial request

(*1) i-mode: Trademark of NTT DoCoMo
(*2) J-Sky: Trademark of J-PHONE/Vodaphone

In the following examples, SIDx represents a session ID, a black arrow represents a valid user's...