JP2002278931A - Method and system for managing log-in - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve a problem that the convenience of users is bad and the identification of service lacks when a plurality of sites authenticate the users even if they have a cooperative relation. SOLUTION: A member management site 14 being a first site supplies a link to a cooperative company site 30 being a second site. An address generation part 20 sets URL of a substitute server 110 in a user terminal 12 when the user clicks a link part. At that time, time limit is given to service. The substitute server 110 logs in to the cooperative company site 30 and transfers information to the user terminal 12.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a login management technique, and more particularly to a login management method and system for controlling when a user logs in to a site on a network.

[0002]

2. Description of the Related Art Electronic commerce using networks, especially the Internet, is expected to occupy a large proportion of the national economy in the near future. Not only IT-related companies but also IT-related companies, the attitude of building a website and transmitting information seems to be a necessary condition for survival.

Under these circumstances, ASP (Application Se
rvice Provider) The business is expanding. Companies outsource some or all of the design, construction, and operation of optimal websites to ASPs, and focus on ensuring the stability of existing businesses while rapidly and efficiently deploying business expansion through the Internet through outsourcing. ing.
On the other hand, business cooperation using the Internet is also expanding rapidly. For example, manufacturers in the same industry gather to stabilize parts procurement and reduce costs, form electronic malls to expand the possibilities of user selection, and increase the number of cross-industry alliances that use the same brand. ing. In such a case, the ASP is required to have a service design in which alliances of the same or different industries have a sense of unity when viewed from the user.

[0004]

However, in practice, the domain name of the site differs for each company, and there is a wall in forming a sense of unity as a federation on the Web. The present invention has been made by the present inventor recognizing this point, and one object of the present invention is to realize a service that gives a sense of unity to cooperation between a plurality of entities from a technical element of login management. Another object of the present invention is to realize a service with a sense of unity from the viewpoint of an ASP whose business is expanding. Still another object of the present invention is to provide a technology that simplifies user login and also considers security in a service that treats a user as a member.

[0005]

One embodiment of the present invention relates to a login management method. In this method, after a user inputs information for authentication and logs in to a first site on a network, and tries to log in to a second site by following a link from the site, the first site The information for authentication is added to an address for accessing the second site and provided for the access.

[0006] Here, the "site" may be a server or any other node in the site, and is simply referred to herein as a site. An example of the address is URL (Uniform Resour
ce Locator), for example, when the user is browsing the first site with a web browser, it is assumed that the user clicks a link to the second site provided on the page. At this time, the URL of the second site is set in the browser of the user. In this embodiment, information for authentication (hereinafter, also simply referred to as authentication information) is added to the URL. For example, the authentication information and the URL body are decomposed by the function of the browser, so that the user can access the second site and automatically respond to the authentication request issued from the second site. An example of the authentication information is a set of a user ID and a password, but is not limited to this. In addition to the case where the authentication information is added to the address as it is, the authentication information may be added one-time or after being encrypted. The information is added to the address for accessing the second site and is provided for the access. "

According to this aspect, the user does not need to go through a new authentication procedure when logging in to the second site.
Therefore, for example, when the first site and the second site are in a cooperative relationship, it is possible to enhance user convenience and foster a sense of unity of services.

[0008] The expiration date of the authentication information is appropriately set from the first site to the second site, and the second site permits a user who logs in by following the link from the first site to access only within the expiration date. May be. The phrase “from the first site to the second site” does not necessarily mean that the first site is the initiative, and the second site may acquire the setting contents by a so-called pull-type operation. This setting may be notified, for example, in a list in which authentication information of users who are permitted to access is listed. In this case, the authentication information described in the list is appropriately changed and notified, so that the expiration date can be used without any practical problems. Can be set. For example,
If the list is transmitted at intervals of 30 minutes and the authentication information of a certain user is listed only once, the expiration date of the user is effectively 30 minutes. The expiration date can be changed by changing the number of times of listing in each user. Of course, the expiration date may be directly described and transmitted for each user authentication information.

[0009] Another embodiment of the present invention also relates to a login management method. This method includes the steps of, when a user attempts to log in to a predetermined site, guiding the user to a relay base acting on behalf of the site, and transmitting the site information obtained at the relay base to the user from the relay base. Providing. With this configuration, when the relay base obtains site information,
The authentication information is transmitted to the site, and after being authenticated as a user from the site, the user logs in to the site.

[0010] Still another embodiment of the present invention also relates to a login management method. In this method, after a user inputs information for authentication and logs in to a first site on a network, and tries to log in to a second site by following a link from the site, the user is referred to as a second site. To the proxy server of the second site, and the second step obtained by the proxy server
Providing the information of the site from the proxy server to the user. In this configuration, when the proxy server obtains the information of the second site, the proxy server logs in to the second site after being authenticated as one user from the second site.

According to this aspect, since the proxy server logs in to the second site on behalf of the user, there is no need for the user to take the log-in procedure again. on the other hand,
Since the user is authenticated when logging in to the first site, care is taken in terms of security.

When the user follows the link, the first site adds information on the expiration date at which the user can obtain the information of the second site to an address for accessing the proxy server, and then proceeds to the access. May be served.
The information on the expiration date is encrypted, and the proxy server may decode and interpret the information, and may stop providing the user with the information on the second site when the expiration date has expired.

The advantage of having an expiration date lies in security. With the above arrangement, the second site can delegate the authentication of the user to the first site. If a configuration is such that a link to the second site is visible only when a certain user logs in to the first site, access to the second site can be effectively restricted. However, if the user bookmarks this while accessing the second site, even a person who is not the user thereafter can access the second site by relying on the bookmark. Now, if the second site transmits information to be disclosed only to members, there is room for improvement in security. For this reason, if the expiration date is set relatively short, even if the bookmark is made, it becomes easier to prevent anyone other than the user from browsing the second site.

Still another preferred embodiment according to the present invention relates to a login management system. The system includes a first site. A first site configured to authenticate a user when the user inputs information for authentication and requests a login;
A link control unit that provides a link to the second site to the logged-in user. The link control unit includes an address generation unit that generates an address for the user to access the second site in a form to which the information for authentication is added.

Still another preferred embodiment according to the present invention relates also to a login management system. When a user accesses a predetermined site, the system includes a relay base that mediates the access. The relay base transmits, from the site, an authentication requesting unit that transmits information necessary for itself to be authenticated as a user, and, when authenticated as a user from the site, logs in to the site and obtains information obtained by the authentication. And an information transfer unit provided to the user.

Still another preferred embodiment according to the present invention relates also to a login management system. The system includes a first site and a proxy server. The first site includes an authentication unit that authenticates the user when the user inputs information for authentication and requests login, and a link control unit that provides a link to the second site to the logged-in user. including. The link control unit includes an address generation unit that generates an address for the user to access the proxy server. Also,
The proxy server transmits, from the second site, an authentication request unit that transmits information necessary for being authenticated as a user, and when the proxy server is authenticated as a user from the second site, the proxy server logs in to this site and obtains the information. An information transfer unit for providing information to the user.

Therefore, when the user logs in to the first site after authentication and tries to access the second site by following the link, the user is connected to the proxy server.
The proxy server itself is authenticated as a user from the second site, and thereafter provides the information of the site to the user.

[0018] The proxy server may further include a term monitoring unit for interpreting the information regarding the expiration date and monitoring the expiration of the expiration date, and when the expiration date has passed, the provision of the information to the user may be stopped. To stop providing information, the proxy server may disconnect the session established with the second site for the user, or may prohibit transfer by the information transfer unit.

Still another preferred embodiment according to the present invention relates also to a login management system. The system includes a first site where a user first logs in and a proxy server. The proxy server is constructed under a domain name similar to that of the first site. Similarity includes the same, and also includes the subdomain name of the domain name of the first site. When a user requests login to a second site while having a session with the first site, the first site changes the user's access destination to the proxy server. The proxy server obtains information from the second site on behalf of the user and provides the information to the user.

Any combination or rearrangement of the above-described components, and the present invention expressed as a method, a system, a computer program, a recording medium, or the like are also effective as embodiments of the present invention.

[0021]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiment 1 FIG. 1 shows a configuration of a login management system 10 according to the first embodiment. In the login management system 10, a user terminal 12, a member management site 14, which is a first site, and a cooperating company site 30, which is a second site, are connected via an unspecified Internet. The domain name of the member management site 14 is web-a.com, and the domain name of the partner company site 30 is web
-b.com.

The member management site 14 cooperates with the cooperating company site 30 for a certain service, recruits members for the service, and functions as a contact for the members. Therefore, the login management system 10 may include many cooperating companies other than the cooperating company site 30, and in that case, the significance of the member management site 14 as a window increases. As an example, the member management site 14 is a virtual mall that provides rare items to members, and the cooperating company site 30 is an import general store that has opened a store there. Because the member receives a membership fee, the partner company site 30 permits access only to the member.

The member management site 14 has an authentication unit 16, a link control unit 18, and a term setting unit 22. Authentication unit 1
6 is when the user requests a login (path s in the figure)
Authenticate this. When a user becomes a member of this service, a user ID and a password (hereinafter, also referred to as authentication information) are given. Unless otherwise noted below,
"User" and "member" are not distinguished in terms of expression.

The authenticated user can log in to the member management site 14 member page. This page has various information, including a link to the cooperating company site 30. The link is configured so that only the user who can log in to the member management site 14 can see the link.

The link controller 18 acquires this action when the user clicks on the link. The address generator 20 of the link controller 18 generates an address to be set in the browser of the user terminal 12, that is, a URL of the cooperating company site 30. Usually, the URL is fixed, but here, the authentication information of the user is added to the URL and set in the browser as described later. The browser extracts the authentication information added to the URL, and extracts the original URL.
Only the part is used for access to the cooperating company site 30, and when the input of the user ID and the password is requested from the cooperating company site 30, the extracted authentication information is automatically transmitted to the cooperating company site 30. This function is a function implemented in a web browser that is recently used as a standard, and is used in the present embodiment. As a result of the above processing, the access destination of the user is conceptually the route t in the figure.
And the connection destination of the user terminal 12 becomes the partner company site 30 according to the route u in the figure.

The expiration date setting section 22 sets an expiration date during which a user can access the cooperating company site 30. The time limit setting unit 22 transmits an “access-permitted user list” described below to an authentication server (not shown) of the cooperating company site 30 by FTP (File T
ransfer Protocol). In the list, the authentication information of the user who is permitted to access the cooperating company site 30 is described, and the authentication server of the cooperating company site 30 restricts the access of the user by looking at the list.

FIG. 2 shows a URL generated when a user follows a link. First, the user first attempts to log in to the member management site 14 by inputting ID and password (ID: PW in the figure) as authentication information. The authentication unit 16 acquires the authentication information, approves the login, and notifies the address generation unit 20 of this information. The address generation unit 20 adds the authentication information to generate a URL as follows, and this is set in the browser of the user terminal 12. http: // ID: PW@www.web-b.com/xxx

FIG. 3 shows the access-permitted user list 3 described above.
2 is shown. In the access-permitted user list 32, authentication information of a user who is permitted to access the cooperating company site 30 is described by a serial number in the order of login.
Here, the users of the login numbers 33 to 50, that is, “ID33: PW33” to “ID50: P
Access of the user “W50” is permitted. The access-permitted user list 32 is transmitted from the time limit setting unit 22 to the cooperating company site 30, for example, once an hour. At the next transmission, the currently listed authentication information is cleared, and the authentication after “ID51: PW51” is performed. Information is described instead. In this way, user access can be limited to one hour. Here, the term “expiration date for permitting access” includes an expiration date for logging in and an expiration date for the duration of a session. When the duration of the session exceeds one hour, the authentication server or other components of the cooperating company site 30 may notify the user to that effect and prompt the user to log in again.

FIG. 4 shows an example of a service having the above configuration. The member screen 40 appears when the user first logs in after being authenticated by the member management site 14. Here, the service provided by the member management site 14 is displayed as “XXX online mall”, and the user is referred to as “member @
Δ ”indicates that the member has a discount privilege. In the lower part of the screen, “daily necessities”, “furniture”, “clothing” and the like are listed under the title of “product directory”. Here, when the user clicks the clothing link 42, the action is acquired by the link control unit 18,
Thereafter, through the above-described processing, access to the cooperating company site 30 in charge of “clothing” is realized.

As described above, according to the present embodiment, when the user logs in to the member management site 14, the cooperating company site 30
There is no need to perform the authentication procedure again when logging in to.
For this reason, the convenience of the user is enhanced, and at the same time, the service provided by the cooperation between the member management site 14 and the cooperating company site 30 has a sense of unity. In addition, since the cooperating company site 30 actually performs authentication using the authentication information from the member management site 14, security is also considered. Furthermore, since the expiration date is set for the access, even if the URL of the cooperating company site 30 is bookmarked, a mechanism that cannot be easily accessed by anyone other than the member is realized.

In FIG. 2, for simplicity of understanding, "ID: PW" which is the authentication information input by the user has been described as being incorporated in the URL generated by the address generation unit 20 as it is. Are different,
This is desirable both in terms of security and simplification of the address generation algorithm. For this purpose, "ID: PW" incorporated in the URL generated by the address generation unit 20 may have a one-time property, and a serial number may be simply given as an example. In this case, the contents of the access-permitted user list 32 in FIG. 3 can be simply described with the serial number, which is advantageous in both management and list creation. However, from the viewpoint of further enhancing security, it is naturally desirable to add a process such as randomization at the time of one-time operation.

Embodiment 2 FIG. 5 shows a configuration of a login management system 100 according to the second embodiment. Unlike Embodiment 1, a proxy server 110 is provided, and a user accesses the cooperating company site 30 through the proxy server 110. In the second embodiment, the proxy server 110 can be constructed using a domain name similar to that of the member management site 14, and the sense of unity of the service is further improved.

As in the first embodiment, the link from the user to the cooperating company site 30 is visible only to the member who can log in to the member management site 14, and the access to the cooperating company site 30 is relayed by the proxy server 110. Therefore, the security of the partner company site 30 is high. Proxy server 1
In order to obtain information on the cooperating company site 30 instead of the user, the user 10 is authenticated as one user from the viewpoint of the cooperating company site 30. It is characteristic that a so-called proxy server goes through an authentication procedure using an ID, a password, and the like with the proxy site. Hereinafter, the same components as those in the first embodiment are denoted by the same reference numerals, and the description will be focused on the differences from the first embodiment.

The term setting unit 22 moves to the inside of the address generation unit 20, and the address generation unit 20 further
Having. In this embodiment, after the expiration date generated by the encryption unit 102 is encrypted by the encryption unit 102,
It is added to the URL. However, the URL points to the proxy server 110 instead of the cooperating company site 30. The expiration date is not described in the list, but is directly described in the form of “access time” and “end time” of the access. Some standard DNS (Domain Name Server) functions can specify a wildcard. In this embodiment, the expiration date is written in the wildcard portion. An example of the URL generated by the address generation unit 20 is as follows, and the encrypted “ztAjJ4kiq1
Specify "SI" as a wildcard and pass through DNS. http://ztAjJ4kiq1SI.web-a.abc-proxy.com (Equation 1)

The user logs in to the member management site 14 (path s), finds a link to the cooperating company site 30 on the member-only page, and clicks on it. The address generation unit 20 adds an expiration date to the URL and sets the URL in the browser. The access destination of the user is now the proxy server 110
(Path u). The proxy server 110 is a CGI (Common
When the user accesses the terminal via a gateway interface, the information is acquired from the cooperating company site 30 and transferred to the user. The proxy server 110 logs in to the cooperating company site 30 on behalf of the user (path v), and allows the user to browse the information of the cooperating company site 30 (path v, w). Thereby, the access destination substantially moves from the member management site 14 to the cooperating company site 30 (path t).

The proxy server 110 has a term monitoring unit 112, an authentication requesting unit 114, and an information transfer unit 116. When a user accesses, the authentication requesting unit 114 transmits a user ID and a password to log in to the cooperating company site 30, and requests an authentication procedure. This user I
D and password are not for the user, proxy server 1
The proxy server 110 is seen as one user from the cooperating company site 30 by itself. After the proxy server 110 logs in to the cooperating company site 30, the information transfer unit 11
6 transfers the information of the cooperating company site 30 to the user.

The expiration date monitoring unit 112 includes the address generation unit 20
Detects and decodes the expiration date embedded in the URL, and monitors the expiration date. When the time limit comes, proxy server 1
The session between 10 and the partner company site 30 is disconnected.

FIG. 6 shows processing until the user accesses the proxy server 110. First, the user first accesses the member management site 14 as a member, receives authentication by the authentication unit 16 (S10), and logs in to the member management site 14 (S12). The user then goes to partner company site 3
Click on the link to 0 (S14). The address generation unit 20 generates the URL shown in Expression 1 (S16), which is set in the browser of the user terminal 12, and realizes access to the proxy server 110 (S18).

FIG. 7 shows a case where the proxy server 110 sends the user terminal 1
2 shows a process in which information is provided. When accessed by the user or at an arbitrary timing before that, the cooperating company site 30 authenticates this in response to the login request from the authentication requesting unit 114 (S30). After authentication,
The proxy server 110 logs in to the cooperating company site 30 (S32). When the user accesses the proxy server 110, if the expiration date of the user has not arrived (N of S34), the information transfer unit 116 acquires the user's action (S36) and displays the necessary page on the partner company site 30. To the user terminal 12 (S38). After that, the same processing is repeated until the expiration date comes, and when the expiration date comes (Y in S34), the session for the user is disconnected (S40), and the process exits.

As described above, according to the present embodiment, even if the user tries to bookmark the cooperating company site 30, only the URL of the proxy server 110 is known, and the URL becomes meaningless due to the expiration date. Even if this user terminal 12 is used, information on the cooperating company site 30 cannot be obtained. Since the expiration date is encrypted, it is very difficult to manipulate the expiration date based on this.
Since the expiration date is represented by information that changes every moment such as a start time and an end time, the encrypted information has a high one-time property and is more secure.

The present invention has been described based on the embodiments. This embodiment is an exemplification, and it is understood by those skilled in the art that various modifications can be made to the combination of each component and each processing process, and that such modifications are also within the scope of the present invention. is there.

For example, FIG. 4 illustrates an electronic mall.
However, the present invention can be used for various other services. As an example, confidential information is distributed to the cooperating company site 30 and the member management site 14 manages the viewer. For example, if the partner company site 30 is a pharmaceutical company, a doctor is required to view powerful drugs and other data. When a plurality of pharmaceutical companies are connected as the cooperating company site 30 and they provide various information including confidential information to the doctor, the member management site 14 checks whether or not the accessing user is a doctor and then provides the service. provide.

[0043]

According to the present invention, the convenience of the user at the time of login is enhanced. Alternatively, according to the present invention, a sense of unity of services is enhanced.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a login management system according to a first embodiment.

FIG. 2 is a diagram showing how an address is generated in the first embodiment.

FIG. 3 is a configuration diagram of an access permission list used in the first embodiment.

FIG. 4 is a diagram showing a screen displayed when accessing the member management site according to the first embodiment.

FIG. 5 is a configuration diagram of a login management system according to a second embodiment.

FIG. 6 is a flowchart showing processing until an access destination shifts to a proxy server in the second embodiment.

FIG. 7 is a flowchart illustrating a process in which information is provided from a proxy server to a user terminal in the second embodiment.

[Explanation of symbols]

10,100 login management system, 12 user terminals, 14 member management site, 16 authentication section, 1
8 link control unit, 20 address generation unit, 22 time limit setting unit, 30 partner company site, 102 encryption unit, 110 proxy server, 112 time limit monitoring unit, 1
16 Information transfer unit.

Claims (14)

[Claims] When a user inputs information for authentication and logs in to a first site on a network, and tries to log in to a second site by following a link from the site, the first A login management method, wherein information for authentication is added to an address for accessing a second site and provided for the access at the site. 2. The expiration date of the information for authentication is set to a first
2. The method according to claim 1, wherein an appropriate setting is made from the first site to the second site, and the second site permits a user who logs in by following a link from the first site only within the validity period. the method of. 3. A step of, when a user attempts to log in to a predetermined site, guiding the user to a relay site acting as a proxy for the site, and transmitting information of the site obtained at the relay site from the relay site. Providing the information to the site when the relay base obtains the information of the site, and transmits information for authentication to the site, and after being authenticated as a single user from the site, logs in to the site. A login management method characterized in that: 4. After a user inputs information for authentication and logs in to a first site on a network, and tries to log in to a second site by following a link from the site, the user Including a step of leading to the proxy server of the second site and a step of providing the information of the second site obtained by the proxy server to the user from the proxy server, wherein the proxy server has information of the second site A login management method characterized by logging in to the second site after being authenticated as a single user from the second site when obtaining the information. 5. When the user follows the link, the first
5. The site according to claim 4, wherein information relating to an expiration date at which the user can obtain information on the second site is added to an address for accessing the proxy server and provided to the access. the method of. 6. The information on the expiration date is encrypted, and the proxy server decrypts and interprets the information,
6. The provision of information of the second site to the user when the expiration date has expired is stopped.
The method described in. 7. A login management system including a first site, wherein the first site authenticates the user when the user inputs information for authentication and requests login.
A link control unit that provides a link to a second site to a logged-in user, wherein the link control unit allows the user to access the second site with the information for authentication added. A login management system comprising an address generation unit for generating an address for the user. 8. The system according to claim 7, wherein the first site further includes a time limit setting unit that appropriately sets a validity period of the information for authentication in the second site. 9. A login management system including a relay base that mediates access when a user accesses a predetermined site, wherein the relay base is necessary for the site itself to be authenticated as a user from the site. A login management system, comprising: an authentication requesting unit that transmits appropriate information; and an information transfer unit that, when authenticated as a user from the site, logs in to the site and provides information obtained to the user. 10. A login management system including a first site and a proxy server, wherein the first site authenticates a user when the user inputs information for authentication and requests a login. Department and
A link control unit that provides a link to a second site to a logged-in user, wherein the link control unit includes an address generation unit that generates an address for the user to access the proxy server; The proxy server, from the second site, an authentication requesting unit that transmits information necessary for itself to be authenticated as a user, and when the proxy server is authenticated as a user from the second site,
An information transfer unit for providing information obtained by logging in to the site to the user. 11. The system according to claim 10, wherein the address generation unit adds information on an expiration date at which the user can obtain information on the second site to the address. 12. The system according to claim 11, wherein the address generation unit encrypts the information on the expiration date and adds the information to the address. 13. The proxy server further includes a term monitoring unit that interprets the information on the expiration date and monitors the expiration of the expiration date. When the expiration date has passed, the provision of the information to the user is stopped. 2. The method according to claim 1, wherein
13. The system according to any one of 1 and 12. 14. A login management system including a first site to which a user first logs in and a proxy server, wherein the proxy server is constructed under a domain name similar to the first site, Requests login to the second site while having a session with the first site, the first site changes the user's access destination to the proxy server, A login management system, which acquires information from a second site on behalf of the user and provides the information to the user.