Session fixation

Abstract: An improved session control method and apparatus includes a client which establishes a session with a first server such that the first server can identify the client. When the client wishes to migrate from the first server to a second server, the client requests a session token from the first server. The session token is a data element generated by the first server which is unique over the client-server network being navigated and identifies the particular session with the first server. The session token is preferably a difficult to forge data element, such as a data element digitally signed using the private key of the first server. The session token is passed from the client to the second server to initiate migration to the second server. If session data is too bulky to be passed as part of the session token, the second server may use data from the session token to formulate a request to the first server for additional data needed to handle the state of the session. To minimize the transmission of data, the second server might maintain a version of the bulk session data and only request an update to the version of the data indicated in the session token.

Abstract: The system of the invention provides a collaboration adapter which can be integrated into a web server or a web/application server to allow multiple computer user participants to access a single shared session to an application in a collaborative manner. The system of the invention allows a participant to create a shared session and to associate a participant identity to the shared session as the shared session owner. From thereon, participants can join the shared session and submit requests for application response information to the web server containing the collaboration adapter. In cases where the application response information must be obtained from the application, the invention substitutes participant session identification information in an original participant request with shared session identification information to create an altered request and then forwards the altered request to the application.

Abstract: A method for delegating authorization from one entity in a distributed computing system to another for a computing session is disclosed wherein a session public/private encryption key pair is utilized for each computing session. The private encryption key is erased to terminate the computing session.

Abstract: A system and method are provided for maintaining states for user sessions with a web system. Maintaining state includes receiving a request from a user that initiates a user session with the web system and processing the request to provide a web page to the user. Session data (220) representing a state of the user session is stored in memory in a global session server (212). Then, for each subsequent request associated with the user session, the subsequent request is received, and the session data (220) is retrieved from the global session server (212). The subsequent request is then processed using the session data (220) to provide a web page to the user, and the session data (220) is changed to reflect the processing. The session data (220) is then updated in the global session server (212). The global session server (212) thereby stores session data (220) unique to each user session accumulated over multiple web transactions. In one implementation, the session data (220) includes name/value pairs where the values can be self describing objects such as text, numbers, arrays, and interfaces to other objects.