System and Method to choose a desired LTPA token when LTPA cookie contains multiple LTPA tokens
Publication Date: 2012-Feb-26
The IP.com Prior Art Database
WebSphere Application Server uses LTPA cookies to track authenticated users, and WebSphere's Stack products also use the same LTPA cookie to track authenticated users. If a user agent visits multiple web sites (not in the same security realm) tracked by LTPA cookies, multiple LTPA cookies will be created, each having an LTPA token as the value. Each LTPA token may be created for a specific target, and should only be valid for that target. If all sites are in the same internet domain, WebSphere Application Server can not distinguish among the LTPA tokens represented by the LTPA cookies, so an unintended LTPA token may be used.
Page 01 of 1
System and Method to choose a desired LTPA token when LTPA cookie contains multiple LTPA tokens WebSphere* will extend the LTPA cookie to give WebSphere the ability to distinguish among multiple LTPA tokens.
This invention adds a scope tag to the LTPA token when the LTPA token is first generated . The LTPA token validation process will include verification of the scope tag. When the LTPA token is created, the scope tag is a calculated unique string in WebSphere Application Server or manually defined via a configuration setting. At verification time, the scope tag is reproduced using the same mechanism.
1. Calculate the LTPA token's scope tag: The tag value can be based on the web site name, TAI instance, protected application name, authentication method (e.g., form login, basic auth, client certificate), or some identifier defined via configuration.
2. Add the token tag as a private attribute in the LTPA token during creation if the tag generation is required for the request .
3. When receiving and validating the LTPA cookie, WebSphere Application Server will first check if the LTPA token scope tag is required for the request. If so, compare the required tag with the tag inside the LTPA token. If they match, the LTPA token should be accepted and utilized.
*WebSphere is a registered trademark of International Business Machines Corporation