Multifactor Session Displacement
Publication Date: 2010-Aug-31
The IP.com Prior Art Database
Web sessions are used to manage statefulness in secure internet web application deployments. A web session is a small piece of informaiton passed between a users browser and the requested web site. Session displacement allows the users to terminate existing session against the requested web site. This invention disclosure publication outlines the usage of a secondary authentication mechanism to ensure that only legitimate session owners can force session displacement.
Multifactor Session Displacement
Session displacement allows a legitimate user logged into a system to remove their current session, or identity, from that system. Once a session has been displaced the user must resubmit their user credentials when attempting to access the system again ,
A problem becomes apparent if an unknown source gains access to a legitimate users login credentials, their user name and password. If the system has been configured to allow user session displacement this unknown user can cause displacement the session of the legitimate user .
At a minimum this will cause the legitimate users experience to be disturbed. It also has a potential to cause denial of service attacks against the legitimate user account as well as the system itself..
Session displacement is a common implementation in particular for web applications. Two prime examples of applications that uses session displacement are IBMs Tivoli Access Manager WebSEAL and IBM WebSphere Application Server ISC. Both of these product provide session displacement via the following steps:
1). A user access a web resource using a internet browser eg. Mozilla Firefox,, Microsoft Internet Explorer, that is stored on the remote system (WebSEAL or WAS-ISC).
2). The system identifies that the user is unknown and response with a request for the user to provide credentials .
3). The user provides credentials, in this case a username and password, to the system.
4). The system uses the credentials provided to authenticate the user, if successful the system first checks to see if the user already has an existing session, in this case they do not. The system creates a session and associates it with that user and stores it locally. The session is also stored within a HTTP cookie and returned back to the users browser. On subsequent submit requests for resources stored on the system the browser provide the session back to the system. The system then identifies the submitted session and is able to match it to the user stored within its session store. This prevents the users from having to resubmit their user credentials again.
5). If that same user was to move to another machine and request a URL on the same system as above the system would not be able to identify the user as they do not have an existing session stored with the browser on this new computer . The system would prompt the user to provide their credentials from this computer.
6). The user would again provide their credentials, username and password. to the system.
7). The system would again use the submitted credentials to authenticate the user. In this case, when the system looks to see if the user already has a session it identifies that it does. If the system has been configure to allow only one session per user and session displacement has been enabled then the system will ask the user if they would like to displace, or remove, the existing store session and replace it with...