JP2002236662A - Information processing system and authentication server program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To receive provision of services on a plurality of service providing servers, which have a plurality of different host names in the Internet respectively, without an Internet browser which has performed log-in once performing the second log-in. SOLUTION: The server for one log-in is made to have the plurality of host names, and cookies having authentication information for the respective service providing servers are written in the browser by one operation using the server for log-in, thereby inheriting authentication information even in a plurality of domains.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to the World Wide Web (WWW) on the Internet, and more particularly, to a method of authenticating a user accessing a server using the World Wide Web and a program therefor.

[0002]

2. Description of the Related Art The World Wide Web (WWW) on the Internet uses a hypertext transfer protocol (HTTP) from a client used by a user using a program generally called an Internet browser (browser). This system acquires files and data (resources) from a server (WWW server) on the Internet, and displays and reproduces text, images, sounds, and the like on a user's browser. At this time, the resource to be acquired is specified by a uniform resource locator (URL) that specifies a connection method via a network. Regarding this URL, RFC (Reference) which is an Internet standard
1738 and 180 of ce For Comment)
No. 8

[0003] In general, the acquisition of resources on a WWW server is permitted to an unspecified number of users, but the exchange of company documents and personal information, the transfer of money, and the like are not permitted.
You need to log in to the server and allow only authenticated specific users. As an authentication method at this time, there is a method disclosed in Japanese Patent Application Laid-Open No. H10-257048 (hereinafter referred to as Conventional Technique 1). In the method according to the prior art 1, when authentication is required to acquire the resources of a certain server, once the user logs in to the server, the user uses the information indicating that the server has been authenticated by the login process. Write it to the browser as a cookie. This cookie is a function of the browser. Information sent from the server via HTTP can be stored in the browser, and when this browser accesses the server, the information stored in the browser as a cookie can be transmitted together. it can. Thereafter, when the authenticated browser accesses the server, a cookie indicating that the server has been authenticated is passed to the server, and the server obtains the authentication information with the passed cookie and sends the cookie to the browser that has accessed the server. Return resources for a specific user without logging in again. As described above, it is possible to specify the user using the browser and, once logged in, to continuously acquire resources for the specified user from the server without logging in again.

[0004] The cookie is "http: // hom.
e. netscape. com / newsref / st
d / cookie_spec. "PERSISTENT CLIENT ST" which can be obtained at the URL of "html"
ATE HTTP COOKIES "(hereinafter referred to as Reference 1)
).

More specifically, when the server writes a cookie to the browser, the server transmits a Set-Cookie header at the time of HTTP communication. Set-C
The syntax of the cookie header is as follows.

Set-Cookie: NAME = VA
LUE; expires = DATE; path = P
ATH; domain = DOMAIN_NAME;
secure In this syntax, the item of "NAME = VALUE" is essential information, and other items can be omitted, and when omitted, the default value shown in Reference 1 is used. Less than,
The Set-Cookie header will be briefly described.
The item “NAME = VALUE” specifies the name (NAME) of the cookie and its value (VALUE). "E
The item “xIRES = DATE” indicates an expiration date attribute, and specifies the expiration date (DATE) of the cookie. If this item is omitted, the expiration date is the end point of the browser. “domain = DOMAIN_NAME”
Represents the domain attribute, and DOMAIN_NAME indicates the domain information of the server to which the browser sends this cookie.
Specify as The specification of the domain information is evaluated in a backward match with the Internet domain name (hereinafter, referred to as a host name) of the server.

[0007] The host name is a name for identifying a server on the Internet. For example, “acme.
com having a domain attribute of domain information “anvil.com”. acme. com "or" s
shipping. create. acme. com ". However, a server that can distribute a cookie having a domain attribute is limited to a server having a host name that matches backward with the domain information specified by the domain attribute. The cookie having a domain attribute of "com." nec. c
o. jp ", the browser does not end up with the host name" jp ". nec. co. jp "is refused to receive such a cookie. If this item is omitted, the host name of the server that writes the cookie is used as the domain information.

The item “path = PATH” represents a route attribute, and is compared with the route information indicated in the URL, and specifies which resource in the server should be transmitted by the browser when acquiring a resource in the server. The item “secure” specifies that the cookie specified with this attribute should be transmitted only through HTTP communication protected by encryption or the like.

[0009] When a browser transmits a cookie to a server, it transmits a Cookie header during HTTP communication. The syntax of the Cookie header is as follows.

Cookie: NAME = OPAQUE
_STRING; NAME = OPAQUE_STRI
NG; . . . Set- for each NAME and OPAQUE_STRING
"NAME = V" written from the server by Cookie
ALUE "is specified. When multiple cookies are written from the server to the browser,";"
, And multiple messages are sent side by side.

Japanese Patent Application Laid-Open No. 11-282804 (hereinafter referred to as “prior art 2”) discloses a Web service for providing a user with some service via the Internet.
By separating the service server and the Web authentication server for authenticating each user, a plurality of Web service servers can share and use the Web authentication server. This utilizes the redirect function that a browser normally has. When user authentication is required for resources provided by the Web service server, the Web service server sends a W
Send a redirect command to the eb authentication server. The browser that has received the redirect command accesses the Web authentication server specified by the redirect command. The web authentication server accessed from the browser
The cookie written in the browser is used to determine whether the browser is authenticated. If the browser is not authenticated, the user is required to log in. If the login is successful, write the authentication information to the browser cookie. When the authentication is performed again, the Web service server is notified of the authentication without using the authentication information of the cookie without requesting the user to log in again.

[0012]

As described above, the condition under which a cookie written in a browser is transmitted to a server is to access a server having a host name that matches the domain information specified by the domain attribute in the backward direction. The server that is limited to the case and that can write the cookie specifying the domain attribute in the browser is limited to the server that includes the domain information specified by the domain attribute in the host name in a backward match form. Therefore, the same cookie can be written and obtained between servers including the same domain information in the host name, but the same cookie cannot be written and obtained between servers having different domain names.

Therefore, when trying to use the same authentication information between sites operating on different Internet domains, in the prior art, authentication information of a user who has logged in at a server on a certain domain is written as a cookie of a browser. Even if the server on another domain cannot read the cookie, it cannot take over the authentication information. Therefore, each time the user uses a server on each domain, it is necessary to log in again and acquire new authentication information.

[0014] Therefore, a technical problem of the present invention is that, in a service providing server having a plurality of different host names on the Internet, an Internet browser that has once performed login processing can perform a plurality of service providing servers without performing login processing again. An object of the present invention is to provide an information processing system capable of receiving a service and an authentication server program used for the information processing system.

[0015]

According to the present invention, a single login processing server has a plurality of Internet domain names, and the login processing server collectively has authentication information for each domain. The present invention provides an information processing system in which authentication information is inherited even in a plurality of domains by writing the cookie in a browser.

That is, according to the present invention, there is provided an authentication server that issues a cookie based on a request from a client, and a service server that determines whether the cookie is authenticated, wherein the authentication server operates on the client. Receives information from a browser to search for and display information on the Internet, authenticates a user who is using the browser from personal information stored in personal information storage means, and stores authentication information in an authentication state storage means. Authentication means for accumulating information, and issuing domain information representing an Internet domain name, which is stored in the issuing domain storage means and which indicates an Internet domain name for issuing a cookie for writing information to a browser, and representing a domain attribute of the cookie Issuing domain obtaining means for generating information; and writing the cookie to the browser. And a cookie issuing page sending means for sending a cookie issuing page for inserting the cookie, and a cookie issuing means for writing the cookie to the browser in response to a request from the browser. Using a name resolution server that converts a domain name to a communication address, a plurality of different Internet domain names are associated with one communication address of the authentication server, and authentication processing can be performed in common by the plurality of service servers. The service server includes a cookie acquisition unit that reads the cookie issued by the cookie issuing unit and determines whether the user using the browser has been authenticated, Server and the service server operate in cooperation The information processing system is obtained, wherein Rukoto.

According to the present invention, in the information processing system, the authentication unit receives identification information such as a user ID and a password from the browser, and stores the identification information stored in the personal information storage unit. Compared with the information, if there is a match in the personal information storage means, newly create authentication information on the user and accumulate it in the authentication status storage means, and if there is no match, notify the browser that authentication has failed. An information processing system characterized by notification is obtained.

Further, according to the present invention, in the information processing system, the issuing domain acquisition unit acquires the issuing domain information from the issuing domain storage unit,
An information processing system characterized by generating domain information in which a character string representing the authentication server is deleted from the issuing domain information.

Further, according to the present invention, in the information processing system, the cookie issuing page sending means includes the authentication information generated by the authentication means and the publishing information obtained and generated by the issuing domain obtaining means. From the domain information and the domain information, an information processing system is provided which generates the cookie issue page for causing the browser to execute communication to the cookie issuing means for writing the cookie, and returns the page to the browser. .

According to the present invention, in the information processing system, the cookie issuing means generates the cookie from the authentication information and the domain information described in the cookie issuing page received by the browser. According to another aspect of the present invention, there is provided an information processing system wherein the cookie is written to the browser when a communication request is issued from the browser.

Further, according to the present invention, in the information processing system, the cookie acquisition unit is a service server that provides various services to users on the Internet, and the cookie issuing unit writes the cookie into the browser. Reading the cookie and comparing the authentication information described in the cookie with the authentication information stored in the authentication state storage means to determine whether the browser has already been authenticated. An information processing system is obtained.

Further, according to the present invention, a computer
An authentication server program that operates in cooperation with a service server program having a function of issuing an cookie based on a request from a client and having a function of determining whether the cookie is authenticated in the service server, Searching for information on the Internet operating on the client, receiving a request from a browser to display, authenticating a user using the browser from personal information stored in personal information storage means, Authentication means for accumulating information relating to authentication in the storage means, and issuing domain information representing an Internet domain name for issuing a cookie for writing information to the browser, which is stored in the issuing domain storage means, and acquiring the cookie information. Issuance domain that generates domain information representing domain attributes Acquisition means, Cookie issue page sending means for sending a cookie issue page for writing the cookie to the browser, and Cookie issuing means for writing the cookie to the browser in response to a request from the browser And performs processing in cooperation with a name resolution server program that causes a computer to function as a name resolution server that translates an Internet domain name into a communication address using domain name resolution means.
An authentication server program is provided, wherein a domain name is associated with a communication address of one authentication server, and a plurality of service servers cause a computer to perform a common authentication process.

According to the present invention, in the authentication server program, the authentication unit receives identification information such as a user ID and a password from the browser,
The personal information is compared with the identification information stored in the personal information storage means. If there is a match in the personal information storage means, authentication information relating to the user is newly created and stored in the authentication state storage means. If there is nothing to do, the service server program has a function of notifying the browser of authentication failure, and the service server program reads the cookie issued by the cookie issuing means, and the user using the browser is authenticated. An authentication server program characterized by being a program for causing a computer to function as a cookie acquisition unit for determining whether or not the authentication server program has been executed.

According to the present invention, in the authentication server program, the issuing domain acquiring means acquires the issuing domain information from the issuing domain storage means, and a character string representing the authentication server from the issuing domain information. Thus, an authentication server program characterized by generating domain information from which an is deleted is obtained.

Further, according to the present invention, in the authentication server program, the cookie issue page sending means includes the authentication information generated by the authentication means and the issuance generated and generated by the issuance domain obtaining means. From the domain information and the domain information, an authentication server program is provided which generates the cookie issue page for causing the browser to execute communication to the cookie issuing means for writing the cookie, and returns the page to the browser. .

According to the present invention, in the authentication server program, the cookie issuing means generates the cookie from the authentication information and the domain information described in the cookie issuing page received by the browser. An authentication server program is provided which writes the cookie to the browser when a communication request is made from the browser.

According to the present invention, in the authentication server program, the cookie obtaining means functions in the service server that provides various services to users on the Internet, and the cookie issuing means operates in the browser. A function of reading the written cookie and comparing the authentication information described in the cookie with the authentication information stored in the authentication status storage unit to determine whether the browser has been authenticated. And an authentication server program characterized by cooperating with the service server.

[0028]

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 is a diagram showing a configuration of an information processing system according to an embodiment of the present invention.

As shown in FIG. 1, the information processing system 10
Now, an unspecified number of clients 1 used by general users, a name resolution server 2 for translating names on the Internet into actual communication addresses, and a world wide service for actually providing services to users through the Internet -It is provided with a plurality of service servers 3 on which web servers (WWW servers) are operating, and an authentication server 4 which performs user login processing to perform authentication. Here, the client 1, the name resolution server 2, the service server 3, and the authentication server 4 are connected via a network such as the Internet. The functions of the name resolution server 2, the service server 3, and the authentication server 4 can be performed by the computer by the name resolution server program, the service server program, and the authentication server program 4, respectively.

On the client 1, a browser 11 is operating, and communicates with the name resolution server 2, the service server 3, and the authentication server 4 to acquire resources on the server.

A domain name resolution means 12 operates on the name resolution server 2, and the domain information storage means 1
Based on the information stored in 51, a conversion process is performed from a host name indicating a host on the Internet to an actual communication address. The domain name resolving means 12 is generally called a domain name server (DNS).
It is defined in RFC Nos. 1034 and 1035 which describe Internet standards.

Table 1 shows an example of the contents of the domain information recording means 5.

[0034]

[Table 1]

In the example shown in Table 1, "www.jr-od
ekake. The host name “net” is “123.4.
5.6 "and converted to a communication address" www.j ".
rwest. co. jp "is" 10.
5.6.7 ".

The domain name resolving means 12 may operate in cooperation with a plurality of name resolving servers 2, and a plurality of domain information storing means 5 may be provided.

A WWW server is operating in the service server 3 and receives communication using HTTP from the browser 11 and returns resources. This WWW server has a server function extension mechanism, and a cookie acquisition unit 13 for acquiring authentication information stored as a cookie in the browser 11 is operating using the mechanism.

Also, a WWW server having the same or the same function as the service server 3 is operating on the authentication server 4, receives communication using the HTTP from the browser 11, and performs a login process. This WWW server has a function extension mechanism of the server. Using the mechanism, an authentication unit 14 which receives a login request from the browser 11 and performs an actual login process, and transmits domain information for issuing a cookie when the login is successful. The issuing domain acquiring unit 15 to be acquired, the cookie issuing page sending unit 16 for sending a cookie issuing page for writing a cookie to the browser 11 based on the domain information acquired by the issuing domain acquiring unit 15, On the other hand, the cookie issuing means 17 for issuing a cookie is operating. Also, a personal information storage unit 6 for storing personal information of a user using the browser 11, an authentication state storage unit 7 for storing an authentication state of the browser 11, and a host name of an authentication server 4 for issuing a cookie. Is connected to the service server 3 and the authentication server 4.

The personal information storage means 6, the authentication status storage means 7, and the issuing domain storage means 8 may be mounted in a world wide web server in order to reduce the trouble of system construction.

As a specific example of the embodiment of the present invention, there are three service servers 3 whose host names are “ww”.
w. jr-odekake. net "," www.ne
c. co. jp "," excite.jrwest.c "
o. jp ". At this time, the domain information of each service server 3 is “jr-od
ekake. net "," nec.co.jp "," j
rwest. co. jp ”.

Authentication server 4 according to the embodiment of the present invention
Is the authentication server 4 in the domain information for each server.
With a host name. For example, assuming that the character string indicating the authentication server 4 is “ninsyou”, “ninsyou.jr”
-Odekake. net "," ninsyou.ne "
c. co. jp "," ninsyou.jrwest.
co. jp ". Here the authentication server 4
Have the same number of host names as the number of types of domain information of the service server 3 that performs common authentication. When a plurality of service servers 3 have the same domain information, the authentication server 4 only needs to have one host name for the domain information.

Table 2 below shows an example of the domain information storage means at this time.

[0043]

[Table 2]

As shown in Table 2 above, each service server has “www.jr-odekake.net”, “w
ww. nec. co. jp "," excite.jrw "
est. co. jp ", and their communication addresses are" 123.4.5.56 "and" 192.
168.1.10 "and" 10.5.6.8 ". The host name of the authentication server 4 corresponding to each service server 3 is “ninsyou.jr-odeka”.
ke. net "," ninsyou.nec.co.j "
p "," ninsyou.jrwest.co.jp "
And each host name is the same as the authentication server 4
And the communication address is the same. Here, if the communication address indicating the authentication server 4 stored in the domain information storage means 5 is different, the final control is performed using a device having a communication address conversion function generally called a router and a switch for controlling a communication path. Alternatively, the same communication address may be indicated. When the authentication server 4 is equipped with a plurality of communication devices and can use a plurality of communication addresses, the communication address indicating the authentication server 4 stored in the domain information storage unit 5 is indicated by the plurality of communication addresses. No problem.

Table 3 shows the domain information of the issuing domain storage means 8 at this time.

[0046]

[Table 3]

FIG. 2 is a flowchart showing the operation of the user login process.

Referring to FIG. 2, a user login process will be described based on the above example.

First, the authentication server 4 uses the authentication means 14 on the WWW server to send the I
D and the password are received from the browser 11 (step S1). At this time, if the information can identify the user such as fingerprint information, it may be used instead of the ID and the password. Authentication means 1 that received ID and password
4 compares the ID and password stored in the personal information storage means 6 with the ID and password received from the browser 11 (step S2).

Table 4 shows an example of the personal information storage means 6 at this time.

[0051]

[Table 4]

As shown in Table 4 above, in this example, the ID
The password of the user “XYZ00001” is “QLs
iJD11 ". The personal information storage means 6 may store information such as the name and address of the user in addition to the ID and the password. Also,
Information such as an ID and a password may be encrypted by some encryption method. Next, as a result of the comparison of the ID and the password, it is confirmed whether they match (step S3),
If they do not match, the authentication failure is notified to the browser 11 (step S4), and the login processing ends. If they match, authentication information indicating that the browser 11 has been authenticated is generated (step S5). This authentication information may be any value as long as it is a unique value for each browser 11. The generated authentication information is stored in the authentication state storage means 7 together with the ID (step S6).

Table 5 shows an example of the authentication status storage means 7 at this time.

[0054]

[Table 5]

In the example shown in Table 5, the ID “XYZ0000”
1 "has been authenticated with the authentication information" IOJ99312-3333jd ". At this time, in addition to the ID and the authentication information, the authentication information storage unit 7 may store the time when the login is successful, and may use the time for the time-out process. Next, the issuing domain acquisition unit 15 acquires the issuing domain information of the cookie from the issuing domain storage unit 8 (step S7).

In the example of Table 3, “ninsyou.jr-
odekake. net "," ninsyou.ne "
c. co. jp "," ninsyou.jrwest.
co. jp ”is obtained. Issuing domain acquisition means 15
Creates domain information by deleting the character string indicating the authentication server 4 from the acquired issuing domain information (step S8). In the above example, “jr-odekake.ne
t "," nec.co.jp "," jrwest.c "
o. jp ”is created. Next, the cookie issuing page sending means 16 generates the cookie issuing page in steps S5, S7 and S8,
A cookie issue page is created based on the acquired authentication information, issue domain information, and domain information, and sent back to the browser 11 (step S9).

FIG. 3 is a diagram showing an example of the cookie issuing page in the above example. As shown in FIG. 3, the cookie issuing page is described in a description language generally called HTML, and can be instructed by the browser 11 to perform various processes by being interpreted by the browser 11. HT
Regarding the ML, "http: //www.w3co.o"
"Hyp" that can be obtained with the URL of rg / MarkUp / "
erText Markup Language Ho
me page ”.

Of the HTML descriptions shown in FIG. 3, the description relating to cookie issuance is <FRAME. . . . >. <FRAME. . . > Indicates SRC
Is instructed to the browser 111 to access the URL indicated by the item. For example, <FRAME SRC =
“Http: //ninsyou.jr-odekak
e. net / cookie? C_ID = IOJ9931
2-3333jd & DOM_NAME = jr-odek
ake. net "> is ninsyou.jr-mode
kake. net from the authentication server 4 indicated by net
The authentication information “IOJ99312-3333jd” is sent to the cookie issuing unit 17 designated by the name “kie”.
As the C_ID, the cookie domain information “jr-o
dekake. "net" is specified as an argument as DOM_NAME, and the browser 11 is instructed to access. At this time, the browser 11 displays <FRAME. . . >
<NOFRAMES in case the description cannot be processed
> Description and <FRAME. . . > Instead of description
IMAGE. . . > The description may be used. Also,
Write on the cookie issue page <FRAME. . . >
Is set to only one, and the cookie issuing unit 17 accessed by another host name during the reply of the cookie issuing unit 17
May be described, and cookies may be issued in sequence. Upon receiving the cookie issuing page, the browser 11 sends the authentication server 4 according to the HTML description in the page.
Access the above cookie issuing means 17 (step S
10). The cookie issuing means 17 is a URL for accessing
The authentication information described as C_ID therein is specified as a cookie value, and the cookie information is created using the domain information specified as DOM_NAME as a domain attribute,
The above-mentioned HTTP Set-Cookie is sent to the browser 11.
Writing is performed using the e header (step S11). For example, if the cookie issuing unit 17 determines that <FRAME SRC =
“Http: //ninsyou.jr-odekak
e. net / cookie? C_ID = IOJ9931
2-3333jd & DOM_NAME = jr-odek
ake. net ">, the authentication information is" IOJ99312-3333jd ",
The domain information is “jr-odekake.net”, and the cookie issuing unit 17 sets the “Set-Cookie”.
e: C_ID = IOJ99312-3333jd;
domain = jr-odekake. A header “net” is transmitted to the browser 11. As described above, the browser 11 having received the header sets the cookie issuing unit 17 to “http: //ninsyou.jr-”.
odekake. net "and the domain attribute" jr-mode "specified in the cookie.
kake. net ”, writing of the cookie is permitted, the name is“ C_ID ”, and the value is“ IOJ9 ”.
9312-3333jd ". The browser 11 is described in the cookie issue page <
Steps S10 and S11 are repeated for FRAME> description.

In the example, ninsyou. jr-odek
ake. net, ninsyou. nec. co. j
p, ninsyou. jrwest. co. Reference will be made to the cookie issuing means 17 on jp, which all indicate the communication addresses for the same authentication server 4 as shown in Table 2.

Through the above steps S1 to S11, a cookie for each service server 3 on the local area network is written on the browser 11 that has successfully logged in.

Next, FIG. 4 is a diagram for explaining the authentication processing when the service server 3 providing the service for a specific user receives access from the browser 11. Referring to FIG. 4, first, the service server 3
Checks whether the browser 11 has transmitted the authentication information as a cookie when the browser 11 has accessed it (step S21). At this time, if the browser 11 performs the log-in process in steps S1 to S11 described above, the browser 11 adds a Cookie header during the HTTP communication to the authentication server 4 as described above, and the Cookie header is added to the Cookie header. The authentication information stored as the cookie is transmitted to the authentication server 4.

If the browser 11 has not transmitted the authentication information as a cookie, the authentication server 4 cannot receive the authentication information, and the browser 11 rejects the service for the specific user as unauthenticated (step S2).
2). If the authentication information can be received as a cookie by the authentication server 4, it is checked whether the authentication information is stored in the authentication status storage means 7 (steps S23, S24).
At this time, processing for confirming whether or not the authentication information is correct may be performed by using encryption technology or the like to enhance security. If the received authentication information is not stored in the authentication storage means 7, the service for a specific user is rejected as being incorrect authentication information (S25). If the received authentication information is stored in the authentication storage unit 7, it is determined that the accessing browser 11 has already been authenticated, and the browser 11 is permitted to use the service for the specific user. Through each of the steps S21 to S26, each service server 3 can determine whether or not the accessed browser 11 has been authenticated. Steps S22 and S25
If the service for a specific user is rejected in each step of the above, processing such as transfer may be performed to prompt the user to log in at the authentication server 4.

Steps S1 to S11 and S21 to S
In the communication between the client 1, the service server 3, and the authentication server 4 in each of the steps 26, it is desirable to encrypt communication contents in order to enhance security. In addition, the service server 3, the authentication server 4, the personal information storage unit 6,
It is desirable that the authentication state storage means 7 and the issue domain storage means 8 operate on the same local area network in order to enhance security. When communicating with the browser 11, it is desirable to use a communication device generally known as a firewall to enhance the security of communication.

[0064]

As described above, by using the present invention, a user using a browser can log in once and share authentication information with a plurality of service servers having different domains. There is no need to log in again for each server, which makes it easy to guide users using a certain service server to service servers running on other domains, increasing the number of users using the service It is possible to provide an information processing system capable of causing the information processing system to perform the processing.

Further, according to the present invention, when constructing each service server, any Internet domain name may be used, and an Internet domain name which is easy for the user to remember according to the contents of the service can be used. Thus, it is possible to impress the Internet domain name of the service server deeply to an unspecified number of users, and to provide an information processing system capable of increasing the number of users using the service.

[Brief description of the drawings]

FIG. 1 is a block diagram showing an information processing system according to an embodiment of the present invention.

FIG. 2 is a flowchart illustrating an operation of the information processing system of FIG. 1;

FIG. 3 is a diagram showing an example of a cookie issue page issued by the information processing system according to the embodiment of the present invention.

FIG. 4 is a flowchart illustrating a process of determining an authenticated browser in a service server of the information processing system according to the embodiment of the present invention.

[Explanation of symbols]

 Reference Signs List 1 client 2 name resolution server 3 service server 4 authentication server 5 domain information storage means 6 personal information storage means 7 authentication status storage means 8 issue domain storage means 10 information processing system 11 browser 12 domain name resolution means 13 cookie acquisition means 14 authentication means 15 Issuing domain acquisition means 16 Cookie issuing page sending means 17 Cookie issuing means

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Masato Kudo 5-7-1 Shiba, Minato-ku, Tokyo Inside NEC Corporation (72) Inventor Hiroki Anfuku 2-4-2 Shibata, Kita-ku, Osaka-shi, Osaka No. West Japan Railway Company F-term (reference) 5B085 AE02 AE23 BG07

Claims (12)

[Claims] 1. An authentication server that issues a cookie based on a request from a client, and a service server that determines whether the cookie is authenticated, wherein the authentication server transmits information on the Internet that operates on the client. Receives requests from browsers to search and display,
An authentication unit that authenticates a user using the browser from personal information stored in personal information storage unit and stores information related to authentication in an authentication state storage unit; and a browser stored in an issue domain storage unit. Issue domain information representing an Internet domain name for issuing a cookie for writing information to the publishing domain, issuing domain acquisition means for generating domain information representing a domain attribute of the cookie, and writing the cookie to the browser And a cookie issuing page sending means for sending a cookie issuing page, and a cookie issuing means for writing the cookie to the browser in response to a request from the browser. Name resolution server that converts name to communication address And a plurality of service servers are configured to associate a plurality of different Internet domain names with a communication address of one of the authentication servers so that authentication processing can be performed in common by the plurality of service servers. The authentication server and the service server operate in cooperation with each other, including a cookie acquisition unit that reads the issued cookie and determines whether the user using the browser is authenticated. An information processing system, comprising: 2. The information processing system according to claim 1, wherein said authentication means transmits a user ID,
Receives identification information such as a password, compares it with the identification information stored in the personal information storage means, and if there is a match in the personal information storage means, newly creates authentication information for the user and performs the authentication. An information processing system, wherein the information is stored in a state storage unit, and if there is no match, the authentication failure is notified to the browser. 3. The information processing system according to claim 1, wherein the issuing domain acquisition unit acquires the issuing domain information from the issuing domain storage unit, and deletes a character string representing the authentication server from the issuing domain information. An information processing system that generates generated domain information. 4. The information processing system according to claim 1, wherein said cookie issue page sending means sends said authentication information generated by said authentication means and said issue domain information obtained and generated by said issue domain obtaining means. An information processing system that generates the cookie issue page for causing the browser to execute communication to the cookie issuing unit that writes the cookie from the domain information, and returns the page to the browser. 5. The information processing system according to claim 4, wherein the cookie issuing unit generates the cookie from the authentication information and the domain information described in the cookie issue page received by the browser, An information processing system wherein the cookie is written in the browser when a communication request is made from the browser. 6. The information processing system according to claim 1, wherein the cookie obtaining unit is a service server that provides various services to users on the Internet, wherein the cookie issuing unit writes the cookie written in the browser. Reading the authentication information described in the cookie and comparing the authentication information stored in the authentication state storage means with the authentication information to determine whether the browser has already been authenticated. Processing system. 7. A computer that has a function of an authentication server that issues a cookie based on a request from a client and that operates in cooperation with a service server program that has a function of determining whether the cookie is authenticated in a service server. An authentication server program that searches information on the Internet operating on the client, receives a request from a browser to display,
An authentication unit that authenticates a user using the browser from personal information stored in personal information storage unit and stores information related to authentication in an authentication state storage unit; and a browser stored in an issue domain storage unit. Issue domain information representing an Internet domain name for issuing a cookie for writing information to the publishing domain, issuing domain acquisition means for generating domain information representing a domain attribute of the cookie, and writing the cookie to the browser A cookie issuing page sending means for sending a cookie issuing page for the server, and a cookie issuing means for writing the cookie to the browser in response to a request from the browser.・ Change from domain name to communication address And performs a process in cooperation with a name resolution server program functioning as a name resolution server, associates a plurality of different Internet domain names with a communication address of one authentication server, and performs authentication processing in common from a plurality of service servers. An authentication server program that causes a computer to function as if it were to be performed. 8. The authentication server program according to claim 7, wherein said authentication means transmits a user's I
D, receives identification information such as a password, compares it with the identification information stored in the personal information storage means, and if there is a match in the personal information storage means, newly creates authentication information for the user. The service state is stored in the authentication state storage means, and if there is no match, the browser has a function of notifying the browser of authentication failure, and the service server program reads the cookie issued by the cookie issuing means, An authentication server program characterized in that the authentication server program is a program for causing a computer to function as a cookie acquisition unit that determines whether or not a user who uses the Web server is authenticated. 9. The authentication server program according to claim 7, wherein the issuing domain acquisition unit acquires the issuing domain information from the issuing domain storage unit, and deletes a character string representing the authentication server from the issuing domain information. An authentication server program for generating domain information. 10. The authentication server program according to claim 9, wherein said cookie issuing page sending means sends said authentication information generated by said authentication means and said issuing domain information obtained and generated by said issuing domain obtaining means. And an authentication server program for generating, from the domain information, the cookie issue page for causing the browser to execute communication to the cookie issuing means for writing the cookie, and returning the page to the browser. 11. The authentication server program according to claim 10, wherein the cookie issuing unit generates the cookie from the authentication information and the domain information described in the cookie issuing page received by the browser, An authentication server program for writing the cookie to the browser when a communication request is made from the browser. 12. The authentication server program according to claim 7, wherein said cookie obtaining means functions in said service server for providing various services to a user on the Internet, and said cookie issuing means writes in said browser. A function of reading the cookie and comparing the authentication information described in the cookie with the authentication information stored in the authentication state storage means to determine whether the browser has been authenticated. And an authentication server program for cooperating with the service server.