JP2007094730A - Access management device, method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To preferentially receive access request from a terminal device operated by a regular user among access request received from unspecified terminal devices. <P>SOLUTION: The access request received from a client terminal 26 is received by an application server 18 via an access controller 14 and a Web server 16, and the application server 18 performs authentication on the basis of authentication information in login request, and performs registration into an authentication completion table when a user is authorized as a regular user. The access controller 14 captures the access request received from the client terminal 26 every unit time, preferentially selects the access request from the client terminal 26 registered in the authorization completion table as a transmission target to the Web server 16, and controls the access request from another client terminal 26 such that a time until selecting the access request as the transmission target next time every time selecting the access request as the transmission target is increased. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an access management device, method, and program, and in particular, performs processing according to the request for each access request selected as a processing target from access requests received from an unspecified terminal device, and a transmission source terminal The present invention relates to an access management device that returns a response to a device, an access management method applicable to the access management device, and an access management program for causing a computer to function as the access management device.

  Each time a web server that manages and manages a website receives information requesting access to the website from any client terminal via the network, it performs predetermined processing as needed and responds to the received access request. The processing of transmitting (distributing) information on the web page to be transmitted to the requesting client terminal is performed. In addition, because the web server's processing capacity and communication line capacity are limited, an upper limit is set for the number of access requests that can be accepted within a unit time in the operation and management of a website, and access requests that exceed the upper limit within a unit time. When a request is received, access requests from client terminals that have already established a session at the network level among the received access requests are preferentially received, and access requests exceeding the upper limit are not accepted and discarded. A configuration is adopted.

  For identification of “access request from a client terminal for which a session at the network level has already been established”, an IP address and a port number set in the received packet are used, as in Patent Document 1, for example. It is common. In the technique described in Patent Document 1, authentication processing is performed based on the IP address and port number of a packet transmitted from a client terminal a plurality of times, and the communication is permitted (or after communication) through the authentication processing. The IP address and port number of the transmission source are stored, and the packet passing / discarding is controlled based on this information.

Patent Document 2 discloses a new session from a client in a server load balancer that is connected to a server group including a plurality of servers and distributes traffic between the client and the server to a distribution destination server selected by a predetermined method. In response to the connection request, the allocation destination server stores priority identifier information in association with the session identifier assigned for each new session, and stores communication quality corresponding to each priority information, so that the client or server Priority control such as improving the connectivity to the server is possible for users who frequently use the same service by transferring the received packet with communication quality based on priority information The technology to make is disclosed.
JP 2005-203890 A JP 2003-152783 A

  However, a session at the network level is established when an access request is transmitted from an arbitrary client terminal to the web server, and the access request is received by the web server. For this reason, in the method of preferentially receiving the access request from the client terminal for which the session at the network level has already been established among the access requests received as described above, for example, for the purpose of mischief, the web request is sent from the same client terminal. If an access request requesting delivery of a specific web page on a site is repeatedly transmitted and the access request is repeatedly received by the web server, etc., a session at the network level has already been established. It is recognized as an access request from the client terminal and is preferentially accepted. Accordingly, the response to an access request from a legitimate user who intends to use the website (for example, a user in which authentication information for using the website is registered) deteriorates, or an access request from a legitimate user. However, there is a problem that there may be a situation where it is not accepted.

  Further, the techniques described in Patent Documents 1 and 2 are techniques for managing sessions at the network level. At the network level, access requests from legitimate users and access requests from mischievous users cannot be identified. Have similar problems.

  The present invention has been made in consideration of the above facts, and access management that can preferentially accept access requests from terminal devices operated by legitimate users among access requests received from unspecified terminal devices. It is an object to obtain an apparatus, an access management method, and an access management program.

  In order to achieve the above object, an access management apparatus according to the invention described in claim 1 is an access having a predetermined upper limit value as a maximum number from access requests received from an unspecified terminal device via a computer network. By selecting a request as a processing target, the processing unit performs processing according to the access request and returns a response to the terminal device that is the transmission source of the access request, for each access request selected as the processing target. Each of the access management devices to be performed, wherein the processing means performs an authentication process based on the authentication information when the access request selected as the processing target is an access request including authentication information and requesting login. The authentication process confirms that the operator of the terminal device that has transmitted the access request is a valid user. And a process for establishing an application level session with the terminal device that is the transmission source of the access request, and based on the first storage means and the access request selected as the processing target, the processing means Session management for storing, in the first storage means, identification information of the terminal device with which the application level session is established each time an application level session is established with the terminal device that is the source of the access request And an access request in which the identification information of the transmission source terminal device is stored in the first storage unit among the access requests received from the unspecified terminal device is preferentially selected as the processing target. When the total number of access requests selected in the above is less than the upper limit value, the identification information of the terminal device of the transmission source is the first And control means for selecting an access request from the terminal device is not stored in the storage unit as a processing target, and comprising the.

  The access management apparatus according to the first aspect of the present invention selects, from among access requests received from an unspecified terminal device via a computer network, an access request having a predetermined upper limit value as the maximum number as a processing target. Thus, the processing unit performs processing according to the access request and returns a response to the terminal device that is the source of the access request, for each access request selected as the processing target. Further, in the invention according to claim 1, when the access request selected as the processing target is an access request including authentication information and requesting login, the processing means performs authentication processing based on the authentication information, and When the processing confirms that the operator of the terminal device that is the source of the access request is a valid user, processing for establishing an application level session with the terminal device that is the source of the access request is performed.

  In the first aspect of the present invention, as described above, it is confirmed by the authentication process that the operator of the terminal device that is the source of the access request is a valid user, and the terminal device that is the source of the access request If an application level session is established between the two, the user operating the terminal device can determine that the user is a legitimate user, and based on the access request selected as the processing target, the access is performed by the processing means. Each time an application level session is established with the terminal device that is the source of the request, the session management means stores the identification information of the terminal device for which the application level session has been established in the first storage means. ing. Then, the control means according to the first aspect of the present invention processes the access request in which the identification information of the transmission source terminal apparatus is stored in the first storage means among the access requests received from the unspecified terminal apparatus. If the total number of access requests selected preferentially is less than the upper limit value, an access request from a terminal device in which the identification information of the transmission source terminal device is not stored in the first storage means Is selected as a processing target.

  As described above, in the first aspect of the present invention, the access request in which the identification information of the transmission source terminal device is stored in the first storage means, that is, the access request from the terminal device in which the application level session is established. Is selected preferentially as a processing target. For example, even when an access request is repeatedly transmitted from the same terminal device for the purpose of mischief, the access request repeatedly received from the terminal device is preferentially selected as a processing target. Can be prevented. Therefore, according to the first aspect of the present invention, it is possible to preferentially accept an access request from a terminal device operated by an authorized user among access requests received from an unspecified terminal device. It is possible to avoid inconveniences such as taking a long time to respond to an access request from a terminal device to be operated, or not performing processing according to the access request.

  According to the first aspect of the present invention, the information stored in the first storage means (identification information of the terminal device with which the application level session is established) receives an access request from the same terminal device for a predetermined time or more. If the access request selected as the processing target is an access request for requesting logoff, the processing means is connected to the terminal device that is the transmission source of the access request. When performing the process of disconnecting the application level session established in the above, the session management means is executed by the processing means based on the access request selected as the processing target. Each time an application level session established with the terminal device that sent the access request is disconnected It is preferable to configure the identification information of the terminal device application level session is cut to erase the first memory means.

  When managing a network level session, even if the logoff is requested as described above and the application level session is disconnected, it cannot be recognized, so access from the same terminal device as described above. Monitors whether or not a request has been received for a certain period of time, and if applicable, deletes information from the management table that manages existing sessions, and processing delays or processing as the management table grows An increase in load occurs. On the other hand, according to the second aspect of the invention, every time the application level session is disconnected, the identification information of the terminal device from which the application level session is disconnected is deleted from the first storage means. Only the identification information of the terminal device in the state where the application level session is established is stored in the storage means, and it is possible to prevent the processing delay or the processing load from increasing.

  By the way, in the invention according to claim 1 as described above, since an access request from a terminal device having an application level session established is preferentially selected as a processing target, the same terminal device is used for the purpose of mischief. Even when an access request is repeatedly transmitted, the access request repeatedly received from the terminal device is not preferentially selected as a processing target, but the total number of preferentially selected access requests is less than the upper limit value. In this case, an access request from a terminal device in which the identification information of the terminal device of the transmission source is not stored in the first storage means, that is, a terminal device in which an application level session is not established is selected as a processing target. Access requests sent repeatedly from the same terminal device for the purpose of As a result, it takes a long time to respond to an access request sent by a legitimate user operating a terminal device for which an application-level session has not been established, or processing according to the access request is not performed. Inconveniences such as this may occur.

  In consideration of the above, in the invention described in claim 1, for example, as described in claim 3, the second storage unit and the terminal device that is the transmission source of the received access request and the application level session is not established. The identification information is stored in the second storage means, and the number of times that the access request received from the terminal device is selected as the processing target by the control means while the application level session is not established is indicated by the identification information of the terminal device. Is further provided with an unestablished session management means for storing the number of accesses to the terminal device in the second storage means in association with the control terminal, and the control means is adapted to the corresponding terminal as the access count stored in the second storage means increases. Increased time from the last time an access request from a device was selected as a processing target until it was selected as the next processing target As described above, it is preferable that the terminal device selected as the processing target among the terminal devices whose identification information is not stored in the first storage unit is selected based on the information stored in the second storage unit. .

  According to the third aspect of the present invention, the second storage means stores the number of times that the access request received from the terminal device in which the application level session has not been established is selected as a processing target while the application level session has not been established yet. As the number of accesses increases, the time until the access request from the corresponding terminal device is previously selected as the processing target and the next time it is selected as the processing target is increased. Even when an access request is repeatedly transmitted from the same terminal device as a purpose, the probability that the repeatedly transmitted access request is selected as a processing target is gradually reduced. Therefore, an access request transmitted repeatedly from the same terminal device for the purpose of mischief is selected as a processing target, and an access transmitted by a legitimate user operating a terminal device for which an application level session has not been established. The adverse effect on demand can be minimized.

  As described in claim 3, as the number of accesses stored in the second storage means increases, the access request from the corresponding terminal device is selected as the processing target last time and then selected as the processing target next time. Specifically, for example, as described in claim 4, the unestablished session management unit is configured such that the unestablished session management unit includes the access request received from an unspecified terminal device. For an access request in which the identification information is not stored in the first storage means, the identification information of the transmission source terminal device is selected as the processing target with 0 as the initial value of the access count and the access request from the terminal device. The second storage means stores the identification information in association with the current time as the initial value of the next permission time representing the time to be permitted, and the second storage means Each time an access request from a terminal device is selected as a processing target by the control means, the corresponding access count stored in the second storage means is incremented, and the access request from the terminal device increases as the access count increases. The corresponding next permission time stored in the second storage means is updated so that the time until it is permitted to be selected as a processing target next time is increased, and the control means Of the access requests from the terminal devices whose identification information is not stored in the first storage means when the total number is less than the upper limit value, the next permission time stored in the second storage means is an access before the current time. This can be realized by configuring the request to be selected as a processing target.

  Further, in the invention described in claim 3, the session management means, as described in claim 5, for example, every time an application level session is established with an arbitrary terminal device, It can be configured to delete from the second storage means.

  Further, in the invention according to any one of claims 1 to 5, the processing means sends a predetermined website to each access request selected as a processing target as described in claim 6, for example. In addition to acquiring or generating information on the web page requested by each access request among the constituent web pages and distributing it to the terminal device that is the source of the individual access request, an application level session In response to an access request from an unestablished terminal device, information on a login screen provided with an input field for an operator of the terminal device to input authentication information necessary for establishing an application level session You may comprise so that the process delivered to a terminal device may be performed.

  In this case, in the terminal device in which the application level session is not established and the transmitted access request is not selected as the processing target, for example, the retransmitted access request is selected as the processing target. After the elapse, a login screen is displayed on the display device of the terminal device. However, it is relatively easy for the login screen to take a long time to display, and applying the present invention makes the user feel uncomfortable. Can be prevented.

  The access management method according to the seventh aspect of the present invention selects, from among access requests received from unspecified terminal devices via a computer network, an access request having a predetermined upper limit value as the maximum number as a processing target. By the access management method, the processing means performs processing according to the access request and returns a response to the terminal device that is the transmission source of the access request for each individual access request selected as the processing target. The processing means performs an authentication process based on the authentication information when the access request selected as the processing target includes an authentication information and requests a login, and the access process is performed by the authentication process. When it is confirmed that the operator of the terminal device that sent the request is a valid user, the access request A process for establishing an application-level session with a source terminal device is performed, and based on the access request selected as the processing target, the processing means communicates with the source terminal device of the access request. Each time an application level session is established, the identification information of the terminal device with which the application level session has been established is stored in the first storage means, and among the access requests received from unspecified terminal devices, When the access request whose identification information of the transmission source terminal device is stored in the first storage means is preferentially selected as the processing target, and the total number of preferentially selected access requests is less than the upper limit value And processing an access request from a terminal device whose identification information of the transmission source terminal device is not stored in the first storage means. In the same manner as in the first aspect of the present invention, among access requests received from unspecified terminal devices, access requests from terminal devices operated by legitimate users are preferentially received. be able to.

  According to an eighth aspect of the present invention, there is provided an access management program that sets a predetermined upper limit value to a maximum number from access requests received from an unspecified terminal device via a computer network by a computer having first storage means. By selecting the access request to be processed as a processing target, the processing unit performs processing according to the access request and returns a response to the terminal device that is the transmission source of the access request. An access management program for causing each access request to function as an access management apparatus, wherein the processing means includes an access request that includes authentication information and requests a login when the access request selected as the processing target Then, an authentication process based on the authentication information is performed, and the access request is performed by the authentication process. If it is confirmed that the operator of the transmission source terminal device is a valid user, an application level session is established with the terminal device of the access request transmission source, and the computer is Each time an application level session is established with the terminal device that is the source of the access request based on the access request selected as the processing target, the application level session is established Session management means for storing the terminal device identification information in the first storage means, and among the access requests received from unspecified terminal devices, the identification information of the terminal device of the transmission source is stored in the first storage means. Preferentially select a stored access request as the processing target and preferentially select the access request When the total number is less than the upper limit value, it functions as a control unit that selects an access request from a terminal device whose identification information of a transmission source terminal device is not stored in the first storage unit as a processing target. It is said.

  An access management program according to an eighth aspect of the present invention is a program for causing a computer including the first storage unit to function as the session management unit and the control unit. By executing the access management program according to the present invention, the computer functions as the access management device according to claim 1, and is received from an unspecified terminal device as in the invention according to claim 1. Among the access requests, access requests from terminal devices operated by legitimate users can be preferentially accepted.

  As described above, the present invention provides an application level session each time an application level session is established with a terminal device that is the source of the access request based on the access request selected as the processing target. Is stored in the first storage means, and among the access requests received from the unspecified terminal apparatus, the identification information of the transmission source terminal apparatus is stored in the first storage means. When a request is preferentially selected as a processing target, and the total number of access requests selected preferentially is less than the upper limit value, the terminal device whose identification information of the transmission source terminal device is not stored in the first storage means Since the access request is selected as the processing target, the end of the access request received from an unspecified terminal device is operated by a legitimate user. Can accept an access request from the device preferentially has an excellent effect that.

  Hereinafter, an example of an embodiment of the present invention will be described in detail with reference to the drawings. FIG. 1 shows a computer system 10 according to the present embodiment. The computer system 10 includes a website management system 12. The website management system 12 is a system that manages and manages a specific website, and is configured such that an access control device 14, a web server 16, and an application server 18 are connected to each other via an intranet (LAN) 20.

  The access control device 14 includes a CPU 14A, a memory 14B including a RAM, a hard disk drive (HDD) 14C, and a network interface (I / F) unit 14D. The CPU 14A has access control processing and message transmission described later. An access control program and a message transmission program for processing are installed. The network I / F unit 14D of the access control device 14 is directly connected to a computer network (Internet) 24 in which a large number of web servers are connected to each other via a communication line. Connected to the Internet 24 are a large number of client terminals 26 each composed of a personal computer (PC), a PDA (Personal Digital Assistance) having a function of accessing the Internet 24, and a portable terminal such as a mobile phone.

  On the other hand, the web server 16 includes a CPU 16A, a memory 16B including a RAM, a hard disk drive (HDD) 16C, and a network interface (I / F) unit 16D. The HDD 16C performs a message transfer process, which will be described later. A telegram transfer program is installed. The application server 18 includes a CPU 18A, a memory 18B including a RAM, an HDD 18C, and a network I / F unit 18D. An authentication information database (authentication information DB) is stored in the HDD 18C, and a message reception program for the CPU 18A to perform a message reception process described later is installed.

  The specific website according to the present embodiment is a website that provides a predetermined service to a legitimate user who has applied for the use of the specific website in advance, and the individual website that has applied for the use of the specific website in advance. A user ID is given to the user. In the authentication information DB stored in the HDD 18C, user IDs assigned to individual users are registered in advance as authentication information together with passwords set by individual users. The telegram reception program installed in the HDD 18C corresponds to the access management program according to claim 8, together with the access control program and telegram transmission program installed in the HDD 14C of the access control device 14, and the access control program. When the device 14 executes the access control program and the application server 18 executes the message reception program, the access control device 14 and the application server 18 function as an access management device according to the present invention.

  Next, the operation of this embodiment will be described. For example, if the client terminal 26 is a PC, a user who desires access to a specific website operated and managed by the website management system 12 starts a browser (browsing software) on the client terminal 26, and By specifying an address such as a URI (Uniform Resource Identifier) of a home page (top page) of a specific website and performing an operation to instruct access to the specified address, the access to the specific website is instructed (FIG. 2). (See also step 30). Even when the client terminal 26 is a mobile terminal such as a PDA or a mobile phone, it is possible to instruct access to a specific website by a similar operation. By performing the above operation, an access request message (packet) is transmitted from the client terminal 26 to the website management system 12, and the access request message is received by the access control device 14 of the website management system 12.

  The memory 14B of the access control device 14 is provided with a reception buffer Rb, a reception buffer copy Rbc, a pure new candidate buffer Rnc, an application session established table Ae, an application session unestablished table Au, and a transmission buffer Sb shown in FIG. The access request messages received from the client terminal 26 by the access control device 14 are sequentially stored in the reception buffer Rb. As shown in FIG. 6 (A), the reception buffer Rb has a size capable of storing Cr messages of access requests. Further, information to be registered in the application session established table Ae is information stored in the first storage means according to the present invention, and information to be registered in the application session unestablished table Au is second storage means according to claim 3. The memory 14B for storing these tables corresponds to the first storage means according to the present invention and the second storage means according to claim 3, respectively.

  In the access control device 14, the CPU 14A executes the access control program installed in the HDD 14C every unit time (for example, every second), thereby executing the access control process shown in FIG. 3 every unit time. Hereinafter, the access control process when the access control device 14 first receives an access request message from the client terminal 26 will be described first. Note that the access control processing including the session unestablished message selection processing described later corresponds to the control means according to the present invention.

  In step 80, all the messages stored in the reception buffer Rb (access request messages received by the access control device 14 after the previous execution of the access control process until the unit time elapses) are stored in the reception buffer copy Rbc. make a copy. In step 82, “From IP address”, “From TCP port number”, “To IP address”, “To TCP port” set in each message for all access request messages copied to the reception buffer copy Rbc. Based on the “number”, an address key uniquely determined from these pieces of information is generated, and the generated address key is added to each message copied to the reception buffer copy Rbc. This address key is used as identification information for identifying the client terminal 26 that is the transmission source of each message.

  In step 84, 1 is assigned as an initial value to the variable i, 0 is assigned to the variables Cm and Cu as initial values, and the transmission permission flag is reset (to 0). In step 86, the application session established table Ae (see FIG. 6D) is searched using the address key added to the i-th access request message of the reception buffer copy Rbc as a key, and the next step 88 is performed. In step S86, it is determined whether the corresponding record is extracted from the application session established table Ae. The application session established table Ae is a table in which information of the client terminal 26 in a state where an application level session has already been established is registered, and the above step 88 is the i-th received buffer copy Rbc. The client terminal 26 that has transmitted the access request message determines whether or not an application level session is established.

  When the access control device 14 first receives an access request message from the client terminal 26, there is no client terminal 26 in which an application level session has already been established, and the application session established table Ae is also information. Is unregistered, the determination in step 88 is negative and the process proceeds to step 90. The variable Cu is incremented by 1, and the i-th access request message in the reception buffer copy Rbc is changed to the address key. In addition, it is copied to the Cu case of the pure new candidate buffer Rnc (see FIG. 6C). In the next step 92, it is determined whether or not the variable i has reached the number of storable messages Cr in the reception buffer Rb. If the determination is negative, the routine proceeds to step 94, where the variable i is incremented by 1, and the routine returns to step 86. If there is no client terminal 26 for which an application level session has been established, the determination in step 88 is denied each time, so all messages copied to the reception buffer copy Rbc are all copied to the pure new candidate buffer Rnc. Is done.

  When all the messages copied to the received buffer copy Rbc are copied to the pure new candidate buffer Rnc, the determination at step 92 is affirmed and the routine proceeds to step 95, where the value of the variable Cm is substituted for the variable Ct, and step 110 is executed. Migrate to At this time, since the value of the variable Cm is 0, 0 is also set to the variable Ct. In step 110, a message transmission process (FIG. 4) executed in parallel with the access control process is started, and an initial value of 1 is substituted into a variable i. As shown in FIG. 4, in the message transmission process, it is determined in step 130 whether or not the transmission permission flag is 1, and if the determination is negative, step 130 is repeated. Accordingly, until the transmission permission flag is set to 1, execution of the processing from the next step 132 is suspended.

  On the other hand, in the access control process, in the next step 112, the application session unestablished table Au (see FIG. 6E) is searched using the address key of the i-th access request message in the pure new candidate buffer Rnc as a key. In the next step 114, it is determined whether or not the corresponding record is extracted from the application session unestablished table Au by the search in step 112. The application session non-established table Au is a table in which information on the client terminal 26 in a state where an access request message has been received in the past but an application level session has not been established is registered. The client terminal 26 that has transmitted the i-th access request message in the new candidate buffer Rnc determines whether or not an application level session has been established although the access request message has been received in the past.

  When the access control device 14 first receives an access request message from the client terminal 26, the information in the application session unestablished table Au is also unregistered, so the determination in step 114 is negative and step 116 is performed. In the i-th access request message of the pure new candidate buffer Rnc, “address key”, “From IP address”, “From TCP port number”, “To IP address”, “To TCP port number” Is registered as a new record at the end of the application session unestablished table Au, and 0 is set as the initial value of the number of accesses to the new record, the current time is set as the initial value of the first access time, and the initial value of the next permitted time. Set the current time respectively.

  In the next step 118, it is determined whether or not the variable i matches the variable Cu. As described above, since the variable Cu is incremented by 1 every time an access request message is copied to the pure new candidate buffer Rnc, the variable Cu is copied to the pure new candidate buffer Rnc at the time of determination in step 118. This indicates the total number of request messages (the total number of access request messages from the client terminal 26 for which the application level session has not been established among the access request messages received this time). In step 118, the end of the pure new candidate buffer Rnc It is determined whether or not it has been reached. If the determination in step 118 is negative, the process proceeds to step 120, the variable is incremented by 1, and the process returns to step 112. Steps 112 to 120 described above are repeated until the determination in step 118 is affirmed. Therefore, when the access control device 14 first receives an access request message from the client terminal 26, each copy copied to the pure new candidate buffer Rnc is performed. All the information of the client terminal 26 that is the transmission source of the access request message is registered in the application session unestablished table Au.

  If the determination in step 118 is affirmed, the process proceeds to step 122, and the information of each client terminal 26 stored in the application / session non-established table Au is stored in ascending order of the next permitted time / access count (the oldest permitted next time (Sort in ascending order of accesses) In step 124, session unestablished data selection processing is performed. This session unestablished message selection process will be described with reference to FIG.

  In step 140, 1 is substituted for variable i as an initial value. In the next step 142, it is determined whether or not the variable Ct has reached a constant N. The constant N is the number of messages that can be stored in the transmission buffer Sb for storing messages to be transmitted to the web server 16 (see FIG. 6F), and corresponds to the predetermined upper limit value according to the present invention. ing. In addition, the number of messages stored in the transmission buffer Sb is set in the variable Ct. Initially, when the access control device 14 first receives an access request message from the client terminal 26, the variable Ct remains 0 at this point. Therefore, the determination is denied and the process proceeds to step 144, and the application session is not completed. It is determined whether or not the next permission time of the i-th record of the establishment table Au is before the current time.

  If the determination in step 144 is affirmative, the process proceeds to step 146, and the pure new candidate buffer Rnc is searched using the address key of the i-th record in the application session unestablished table Au as a key. In the next step 148, It is determined whether or not the corresponding access request message is extracted from the pure new candidate buffer Rnc by the search in step 146. Among the access request messages copied to the pure new candidate buffer Rnc in steps 112 to 120 described above, messages for which corresponding information is not registered in the application session unestablished table Au are stored in the application session unestablished table Au. Since the corresponding information is registered, the determination in step 148 is always affirmed once.

  If the determination in step 148 is affirmed, the process proceeds to step 150, and the corresponding access request message extracted from the pure new candidate buffer Rnc by the search in step 146 is copied to the transmission buffer Sb (see also step 32 in FIG. 2). ). Note that copying the access request message to the transmission buffer Sb as described above corresponds to “selecting the access request message as a processing target”. In the next step 152, after the variable Ct is incremented by 1, the process returns to step 146, and steps 146 to 152 are repeated until the determination in step 148 is negative. Note that if the access request message transmitted from the client terminal 26 is composed of a single packet, the determination in step 148 is performed again, but the determination is denied, but there are a plurality of access request messages transmitted from the client terminal 26. If the packet is composed of packets, the determination in step 148 is affirmed as many times as the number of packets constituting the access request message, and a plurality of packets constituting the same access request message are respectively copied to the transmission buffer Sb. The

  If the determination in step 148 is negative, the process proceeds to step 154. In step 154, the i-th record of the application session unestablished table Au (the record corresponding to the access request message copied to the transmission buffer Sb in step 150 above) is set. The number of access times set is incremented by 1, and a power of a natural number n (for example, n = 2) is calculated using the number of access times after the increment as a multiplier, and the first access time set in the above record is calculated. The time added to is overwritten with the next permitted time set in the record. Step 154 corresponds to the unestablished session management means described in claim 3 (specifically, claim 4) together with step 116 described above. In the next step 156, it is determined whether or not the variable i is greater than or equal to the variable Cu. If the determination is negative, the variable i is incremented by 1 in step 158, and then the process returns to step 142 to repeat the processes in and after step 142.

  Thus, steps 142 to 158 are repeated until the determination at step 142 is affirmed, the determination at step 144 is denied, or the determination at step 156 is affirmed. The access request message is copied. If the determination in step 142 is affirmed, the determination in step 144 is negative, or the determination in step 156 is affirmed, the process proceeds to step 160, where the transmission permission flag is set to 1 and the session unestablished message is set. The selection process (access control process) is terminated.

  If the number of access request messages received by the access control device 14 from the previous execution of the access control process until the unit time elapses is greater than N, the N + 1 and subsequent access request messages are stored on the web Although it is discarded without being transmitted to the server 16, the discarded message is in accordance with the protocol of TCP / IP based on the fact that the client terminal 26 has not received a response to the transmitted access request message for a predetermined time or longer. Since the data is retransmitted from the client terminal 26 to the access control device 14, it is not usually necessary for the user to perform an operation for retransmitting the access request message.

  If 1 is set in the transmission permission flag as described above, the determination in step 130 of the message transmission process (FIG. 4) is affirmed, the process proceeds to step 132, and Ct records copied to the transmission buffer Sb. An access request message is transmitted to the web server 16. In step 134, the transmission permission flag is cleared (set to 0), and the process is terminated.

  When the Ct access request message transmitted from the access control device 14 is received by the web server 16 through the intranet 20 by executing the above-described message transmission process, the CPU 16A in the web server 16 The message transfer process shown in FIG. 7 is performed by executing the message transfer program. In this message transfer process, first, in step 170, Ct access request messages stored in the reception buffer are read out, the above-mentioned address keys are generated for each read access request message, and the generated address keys are generated. Is added to each access request message. In step 172, Ct access request messages to which the address key is added are transmitted to the application server 18, and the process ends.

  When the Ct access request message transmitted from the web server 16 is received by the application server 18 via the intranet 20 by executing the above-described message transfer process, the application server 18 The message reception time program shown in FIG. 8 is performed by the CPU 18A executing the message reception time program. In this message reception process, first, 1 is assigned as an initial value to the variable i in step 180, and in the next step 182, the i-th access request from the Ct access request messages stored in the reception buffer. A message is taken out as a processing target. In step 184, the contents of the access request message taken out as a processing target are referred to, and it is determined whether or not the taken out access request message is a message requesting login. If the determination is negative, the process proceeds to step 198, and it is determined whether or not the access request message taken out as a processing target is a message requesting logout. If the determination in step 198 is also negative, the process proceeds to step 204, and the processing requested by the access request message taken out as a processing target is performed.

  In the process of step 204, when the access request message taken out as a processing target is a part of an access request message composed of a plurality of packets, other packets corresponding to the same access request message are also included. Processing to retrieve the original access request message by assembling a plurality of extracted packets from the reception buffer is also included.

  As described above, the specific website according to the present embodiment is a website that provides a predetermined service to an authorized user, and the home page (top page) is provided with input fields for a user ID and a password. And a login screen on which a message requesting input of information in each input field is displayed. A user who desires access to a specific website performs an operation of instructing access by designating the address of the home page of the specific website on the client terminal 26. In this case, the access transmitted from the client terminal 26 is performed. The request message is a message for requesting delivery of a home page of a specific website. When this message is taken out as a processing target in the message reception process, the determinations in steps 184 and 198 are respectively denied, and in step 204, the homepage of the specific website, that is, information on the login screen is generated and accessed. Processing for transmitting (distributing) the request message to the client terminal 26 that is the transmission source of the request message is performed (see also step 34 in FIG. 2). As a result, the login screen information transmitted from the application server 18 is received by the client terminal 26 via the web server 16, the access control device 14, and the Internet 24, thereby logging in to the display of the client terminal 26. A screen is displayed (see also step 36 in FIG. 2).

  In the message reception process, when the process of step 204 is performed, the process proceeds to step 206, and it is determined whether or not the variable i has reached the total number Ct of messages received from the web server 16. If the determination is negative, the variable i is incremented by 1 in step 208 and then the process returns to step 182. As a result, the processes in and after step 182 are repeated until the determination in step 206 is affirmed, and the above-described processes are respectively performed on unprocessed messages among the access request messages received from the web server 16.

  Next, login to a specific website will be described. When a regular user who wants to receive a predetermined service from a specific website displays a login screen on the display of the client terminal 26, he / she enters a user ID and password in each entry field of the login screen. Then, an operation to instruct login to a specific website is performed (see also step 38 in FIG. 2). As a result, authentication information (user ID / password) input by the user is added as an access request message, and a message requesting login to a specific website is transmitted from the client terminal 26.

  In the access control process (FIGS. 3 and 5) executed by the access control device 14, the process when an access request message requesting login is received is an application between the client terminal 26 that is the source of the access request message. Since the level session is not established and the information of the client terminal 26 is not registered in the application / session established table Ae, the processing is the same as described above (the access request message is received by the reception buffer Rb → The received buffer copy Rbc is copied in order to the pure new candidate buffer Rnc). However, since the information of the client terminal 26 that received the access request message in the past is registered in the application session unestablished table Au, the corresponding record is extracted from the application session unestablished table Au by the search in step 112, If the determination in step 114 is affirmed, the corresponding new record is not added to the application session non-established table Au (step 116).

  In addition, an access request message requesting login is copied to the transmission buffer Sb in step 150 (FIG. 5) (see also step 40 in FIG. 2), a message transmission process (FIG. 4) by the access control device 14, and the web server 16 When the message is received by the application server 18 via the message transfer process (FIG. 7) and is taken out as the processing target in step 182 of the message reception process (FIG. 8) by the application server 18, the determination in step 184 is affirmed. Proceeding to step 186, the authentication information added to the access request message taken out as a processing target is compared with the authentication information registered in the authentication information DB stored in the HDD 18C (step in FIG. 2). 42). In the next step 188, whether or not the authentication is OK in the authentication process of step 186, that is, whether or not the operator of the client terminal 26 that is the transmission source of the access request message taken out as a processing target is an authorized user of the specific website. (See also step 44 in FIG. 2). Note that steps 186 and 188 performed when the determination in step 184 is affirmed correspond to the processing means according to the present invention together with step 204 described later.

  If the determination is negative, the process proceeds to step 204 without performing any processing. However, if the determination in step 188 is affirmative, the process proceeds to step 190, where the “address key”, “address key”, “From IP address”, “From TCP port number”, “To IP address”, and “To TCP port number” are additionally registered as new records at the end of the application session established table Ae (see also step 46 in FIG. 2). ). Step 190 corresponds to the session management means according to the present invention. In step 192, the application session unestablished table Au is searched using the address key of the access request message taken out as the processing target as a key. In step 194, the corresponding record extracted from the application session unestablished table Au by the search in step 192 is deleted from the application session unestablished table Au, and the process proceeds to step 204. Steps 192 and 194 correspond to the session management means described in claim 5.

  In this case, in step 204, an application-level session is established with the client terminal 26 that is the transmission source of the access request message taken out as a processing target based on the result of the authentication processing in step 186 being authentication OK. In addition to registering information indicating that the service has been performed in a predetermined table, it generates information such as a menu screen on which various services provided by the specific website to authorized users are listed as options, and the access request message Processing such as transmission (distribution) to the transmission source client terminal 26 is performed (see also step 48 in FIG. 2). As a result, an application level session is established with the client terminal 26 that is the transmission source of the access request message taken out as a processing target, and information such as the menu screen transmitted from the application server 18 is stored in the Web A menu screen or the like is displayed on the display of the client terminal 26 by being received by the client terminal 26 via the server 16, the access control device 14, and the Internet 24 (see also step 50 in FIG. 2).

  When an application level session is established through the above processing and a menu screen or the like is displayed on the display of the client terminal 26, a legitimate user of a specific website can select an option listed in the menu screen. Of these, by displaying the options corresponding to the desired service, the specific website is instructed to provide the desired service. Also in this case, an access request message is transmitted from the client terminal 26, and this access request message is also received by the access control device 14. As described above, the access control apparatus 14 normally receives an access request message from the client terminal 26 in which the application level session is established and an access request message from the client terminal 26 in which the application level session is not established. Receive each one. As described above, in the access request message received by the access control device 14, the access request message from the client terminal 26 in which the application level session is established and the client terminal in which the application level session is not established. The processing when the access request messages from 26 are mixed will be described below.

  As described above, in step 86 of the access control process (FIG. 3), the application session established table Ae is searched using the address key added to the i-th access request message of the reception buffer copy Rbc as a key. In the next step 88, it is determined whether or not the corresponding record is extracted from the application session established table Ae. However, the i-th access request message of the reception buffer copy Rbc indicates that the application level session is If the access request message has been received from the established client terminal 26, the determination in step 88 is affirmed and the routine proceeds to step 96, where the variable Cm is incremented by 1 and i in the received buffer copy Rbc. The first access request message is copied to the Cm item in the send buffer Sb. That. In the next step 98, it is determined whether or not the variable Cm has reached a constant N (the number of messages that can be stored in the transmission buffer Sb).

  If the determination in step 98 is negative, the process proceeds to step 100 to determine whether the variable i has reached the number of storable messages Cr in the reception buffer Rb. If the determination is negative, the process proceeds to step 102, the variable i is incremented by 1, and the process returns to step 86. Therefore, every time an access request message received from the client terminal 26 with which an application level session is established is found, the determination in step 88 is affirmed and the access request message is copied to the transmission buffer Sb. The access request message received from the client terminal 26 in which the application level session has been established is preferentially selected as the message to be transmitted to the web server 16 (application server 18) (application / application). The access request message received from the client terminal 26 for which no level session has been established is copied to the pure new candidate buffer Rnc as described above, but is not copied to the transmission buffer Sb at this time).

  The access request received from the client terminal 26 with which the application level session is established in the access request message received by the access control device 14 after the unit time elapses after the previous execution of the access control process. When N or more messages are included, when the variable Cm (the number of access request messages copied to the transmission buffer Sb) reaches a constant N, the determination in step 98 is affirmed and the process proceeds to step 106. After substituting the constant N for the variable Ct, 1 is set to the transmission permission flag in the next step 108, and the process proceeds to step 110. In this case, when the message transmission process (FIG. 4) is started in step 110, the determination in step 130 is affirmed, and Ct (= N) access request messages copied to the transmission buffer Sb are immediately transmitted to the web server 16. Will be. In this case, since the determination in step 142 of the session unestablished message selection process (FIG. 5) is affirmed from the beginning, the access request message received from the client terminal 26 in which the application level session is not established is -It is discarded without being transmitted to the server 16.

  In addition, a client terminal in which an application-level session is established, which is included in the access request message received by the access control device 14 after the previous execution of the access control process until the unit time elapses If the number of access request messages received from 26 is less than N, the determination in step 100 (or step 92) is affirmed and the routine proceeds to step 104 (or step 95), and the value of variable Cm is set to variable Ct. Substitute and move to step 110. At this time, the value of the variable Cm represents the number of access request messages already copied to the transmission buffer Sb. In the session unestablished message selection process (FIG. 5), an application level session is not established. Of the access request messages received from the client terminal 26, a maximum of N-Cm access request messages are selected as transmission targets in the ascending order of the next permitted time and the number of accesses (copied to the transmission buffer Sb).

  As described above, in the access request message received by the access control device 14, the access request message from the client terminal 26 in which the application level session is established and the client terminal in which the application level session is not established. 26, since the access request message from the client terminal 26 having established the application level session is preferentially selected as the access request message to be transmitted. Compared with the case where the access request message from the client terminal 26 with which the session of the level is established, that is, the client terminal 26 that has previously received the access request message is preferentially selected as the transmission target, the authorized user Client terminal to be operated The access request message from the client terminal 26 can be prioritized without fail, and it takes time to respond to the access request message from the client terminal 26 operated by a legitimate user, or according to the access request message from the client terminal 26. It is possible to reliably prevent inconveniences such as the processing not being performed.

  Next, processing when a logout is instructed from the client terminal 26 having established an application level session will be described. A legitimate user operating a client terminal 26 with an application-level session is displayed on the display when the use of a specific website is terminated after receiving a desired service from the specific website. The logout from the specific website is instructed by performing an operation such as selecting an option for instructing logout in the displayed screen (see also step 52 in FIG. 2). As a result, a message requesting logout from the specific website is transmitted from the client terminal 26 as an access request message.

  Since an application level session is maintained until logout processing is completed in the application server 18 in accordance with the above request, logout from a specific website is requested in the access control processing by the access control device 14. The access request message to be selected is preferentially selected as a transmission target (see also step 54 in FIG. 2). Then, an access request message requesting logout is received by the application server 18 via a message transfer process (FIG. 7) by the web server 16, and processed at step 182 of the message reception process (FIG. 8) by the application server 18. If it is extracted as a target, the determination in step 198 is affirmed and the process proceeds to step 200, and the application session established table Ae is searched using the address key of the message extracted as the processing target as a key. In step 202, the corresponding record extracted from the application session established table Ae by the search in step 200 is deleted from the application session established table Ae (see also step 56 in FIG. 2), and the process proceeds to step 204. . Steps 200 and 202 correspond to the session management means described in claim 2.

  In this case, in step 204, information indicating that the application level session established with the client terminal 26 that is the transmission source of the access request message taken out as a processing target is disconnected is registered in a predetermined table. Then, processing such as generating information on a logout screen on which a message notifying completion of logout is displayed and transmitting (distributing) the information to the client terminal 26 that is the transmission source of the access request message is performed (step 58 in FIG. 2). See also). As a result, the logout screen information transmitted from the application server 18 is received by the client terminal 26 via the web server 16, the access control device 14, and the Internet 24, thereby logging out to the display of the client terminal 26. A screen is displayed and the authorized user can recognize that the logout has been completed (see also step 60 in FIG. 2). Note that the processing in step 204 performed when the determination in step 198 is affirmative corresponds to the processing means according to claim 2.

  In this way, when logout is requested and the application level session is disconnected, the corresponding record is immediately deleted from the application session established table Ae. Therefore, the application session established table Ae includes the application level session. Only the information of the client terminal 26 in the state where the client is established is stored, and the access request message from the same client terminal 26 has not been received for a certain period of time or more like the session management at the network level. The information registered in the management table is enlarged compared to the mode in which the corresponding information is deleted from the management table, assuming that the session at the network level is disconnected when applicable. Processing delays and It is possible to prevent the increase in the processing load applied to the scan control unit 14 occurs.

  Finally, a case where an access request message is repeatedly transmitted from the same client terminal 26 for the purpose of mischief or the like will be described. As shown in FIG. 9, when the user instructs access to a specific website for the purpose of mischief (see step 70A in FIG. 2), the access request message initially received from the client terminal 26 is sent as a transmission target in a short time. When selected (see step 72A in FIG. 2) and the login screen is distributed from the application server 18 (see step 74A in FIG. 2), access to a specific website is instructed for a relatively short time (t1). ) Displays a login screen on the display of the client terminal 26 (see step 76A in FIG. 2). However, since the user is not an authorized user of the specific website, it is impossible to log in to the specific website (the application level session cannot be established), as shown in steps 70B, 70C, and 70D in FIG. In addition, the user repeatedly instructs access to a specific website.

  On the other hand, in the access control process according to the present embodiment, the access request message received from the client terminal 26 in which the application level session is not established in the session unestablished message selection process in FIG. Each time the data is copied to the transmission buffer Sb), the number of accesses registered in the application session non-established table Au is incremented by 1 and a power of a natural number n (for example, n = 2) with the number of accesses after the increment as a multiplier. Is set by overwriting the next permission time with the time added to the first access time (step 154). Then, when the access request message is received again from the client terminal 26 in which the application level session is not established, until the current time is after the next permission time set in the application session unestablished table Au, If the determination in step 144 is negative, the access request message received again is not selected as a transmission target.

  Therefore, when the access request message is repeatedly received from the client terminal 26 in which the application level session is not established, each time the received access request message is selected as the transmission target, the received access request message is selected as the next transmission target. As a result, the waiting time until the login screen is displayed on the display of the client terminal 26 after the user gives an instruction to access a specific website is increased. As shown in FIG. 9, t1, t2, t3, t4,... Increase exponentially. Then, while the access request message from the client terminal 26 that repeatedly transmits the access request message is not selected as the transmission target, the number of access request messages from the other client terminals 26 selected as the transmission target increases. Even if access request messages are repeatedly transmitted from the same client terminal 26 for the purpose of, the adverse effect on the use of the specific website by the authorized user who is logging in to the specific website can be minimized. . In addition, since the waiting time increases exponentially as described above, the act of repeatedly transmitting an access request message from the same client terminal 26 for the purpose of mischief can be suppressed.

  In the above description, every time an access request message received from a client terminal 26 in which an application level session is not established is selected as a transmission target, the number of accesses registered in the application session unestablished table Au is incremented by one. The access request message received from the same client terminal 26 is then set by overwriting the next permission time with the time obtained by adding the power of the natural number n, which is the multiplier of the number of accesses after the increment, to the first access time. The mode of exponentially increasing the time until selection as a transmission target has been described, but the method for increasing the next permitted time is not limited to the above, and the next permitted time is increased until the number of accesses reaches a certain value. 0 or decrease the slope of increase, and after reaching a certain value, allow next time Arbitrary increase methods, such as increasing the possible time rapidly, can be applied.

  In the above description, the mode in which only one web server 16 and one application server 18 are connected to the intranet 20 has been described. However, the present invention is not limited to this, and a plurality of servers 16 and 18 are provided and accessed. The control device 14 may be provided with a function as a load distribution device that distributes the received access requests to the servers 16 and 18 so that the loads of the servers 16 and 18 are leveled.

  Moreover, although the example which made the access control apparatus 14, the web server 16, and the application server 18 a separate body was demonstrated above, it is not limited to this, The access control apparatus 14, All the functions of the web server 16 and the application server 18 may be installed.

It is a block diagram which shows schematic structure of the computer system which concerns on this embodiment. It is a sequence diagram for demonstrating access of the specific website by a regular user. It is a flowchart which shows the content of the access control process performed with an access control apparatus. It is a flowchart which shows the content of a message | telegram transmission process. It is a flowchart which shows the content of the session unestablished message | telegram selection process. It is an image figure which shows an example of the format of each buffer and table which an access control apparatus uses. It is a flowchart which shows the content of the message | telegram transfer process performed with a web server. It is a flowchart which shows the content of the process at the time of the message | telegram reception performed with an application server. It is a sequence diagram for demonstrating access of the specific website for the purpose of mischief.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Computer system 12 Website management system 14 Access control apparatus 14B Memory 16 Web server 18 Application server 20 Intranet 24 Internet 26 Client terminal

Claims (8)

By selecting from the access requests received from an unspecified terminal device via a computer network as the processing target an access request having a predetermined upper limit value as the maximum number, processing according to the access request is performed by the processing means. An access management device that performs the process of returning a response to the terminal device that is the source of the access request for each access request selected as the processing target,
The processing means performs an authentication process based on the authentication information when the access request selected as the processing target includes an authentication information and requests a login, and transmits the access request by the authentication process. When it is confirmed that the operator of the original terminal device is a valid user, an application level session is established with the terminal device that is the source of the access request,
First storage means;
Based on the access request selected as the processing target, the application level session is established each time the processing means establishes an application level session with the terminal device that has transmitted the access request. Session management means for storing the identification information of the terminal device in the first storage means;
Among access requests received from an unspecified terminal device, an access request in which identification information of a transmission source terminal device is stored in the first storage means is preferentially selected as the processing target, and preferentially selected. Control means for selecting, as a processing target, an access request from a terminal device whose identification information of a transmission source terminal device is not stored in the first storage means when the total number of access requests is less than the upper limit;
An access management apparatus comprising: When the access request selected as the processing target is an access request requesting logoff, the processing means disconnects the application level session established with the terminal device that has transmitted the access request. Process
The session management means, based on the access request selected as the processing target, every time an application level session established with the terminal device that has transmitted the access request is disconnected by the processing means. 2. The access management apparatus according to claim 1, wherein the identification information of the terminal device from which the application level session is disconnected is deleted from the first storage means. A second storage means;
The identification information of the terminal device that is the transmission source of the received access request and for which the application level session has not been established is stored in the second storage means, and while the application level session has not been established, the terminal Unestablished session management means for storing the number of times an access request received from a device is selected as a processing target by the control means in association with identification information of the terminal device as the number of access times of the terminal device When,
Further comprising
As the number of accesses stored in the second storage unit increases, the control unit selects the access request from the corresponding terminal device as a processing target from the previous time until the next time it is selected as the processing target. The terminal device selected as a processing target among the terminal devices whose identification information is not stored in the first storage means is selected based on the information stored in the second storage means so as to increase. The access management apparatus according to claim 1. The unestablished session management means is configured to obtain an access request for which an identification information of a transmission source terminal apparatus is not stored in the first storage means among access requests received from an unspecified terminal apparatus. The identification information is stored in association with 0 as an initial value of the number of accesses and a current time as an initial value of the next permission time indicating a time at which the access request from the terminal device is permitted to be selected. Each time an access request from a terminal device whose identification information is stored in the second storage means is selected as a processing target by the control means, the corresponding information stored in the second storage means As the access count is incremented and the access count increases, the access request from the terminal device is selected as the next processing target. It so as to increase the time until Allow to, updating the next permission time corresponding has been stored in said second storage means,
When the total number of the access requests selected preferentially does not satisfy the upper limit value, the control means includes the second of the access requests from the terminal device whose identification information is not stored in the first storage means. 4. The access management apparatus according to claim 3, wherein an access request whose next permission time stored in the storage means is prior to the current time is selected as a processing target.   The said session management means deletes the information of the said terminal device from the said 2nd memory | storage means, whenever the said application level session is established between arbitrary terminal devices. Access control device.   The processing means obtains or generates information of a web page requested by each access request among the web pages constituting a predetermined website for each access request selected as the processing target, Necessary for establishing an application level session for an access request from a terminal device for which an application level session has not been established, while performing a process for distributing each access request to a terminal device as a transmission source 6. A process for distributing information on a login screen provided with an input field for an operator of the terminal device to input correct authentication information to the terminal device. The access management device according to item 1. By selecting from the access requests received from an unspecified terminal device via a computer network as the processing target an access request having a predetermined upper limit value as the maximum number, processing according to the access request is performed by the processing means. An access management method for causing each access request selected as the processing target to perform a process of performing a response and returning a response to the terminal device that is the transmission source of the access request,
The processing means performs an authentication process based on the authentication information when the access request selected as the processing target includes an authentication information and requests a login, and transmits the access request by the authentication process. When it is confirmed that the operator of the original terminal device is a valid user, an application level session is established with the terminal device that is the source of the access request,
Based on the access request selected as the processing target, the application level session is established each time the processing means establishes an application level session with the terminal device that has transmitted the access request. Storing the terminal device identification information in the first storage means,
Among access requests received from an unspecified terminal device, an access request in which identification information of a transmission source terminal device is stored in the first storage means is preferentially selected as the processing target, and preferentially selected. When the total number of access requests is less than the upper limit value, an access request from a terminal device whose identification information of a transmission source terminal device is not stored in the first storage means is selected as a processing target. Access management method. By selecting, as a processing target, an access request having a predetermined upper limit value as a maximum number from access requests received from an unspecified terminal device via a computer network, the computer having the first storage means, In order for the processing means to function as an access management device that performs processing according to the access request and returns a response to the terminal device that is the source of the access request, for each access request selected as the processing target. Access management program,
The processing means performs an authentication process based on the authentication information when the access request selected as the processing target includes an authentication information and requests a login, and transmits the access request by the authentication process. When it is confirmed that the operator of the original terminal device is a valid user, an application level session is established with the terminal device that is the source of the access request,
The computer,
Based on the access request selected as the processing target, the application level session is established each time the processing means establishes an application level session with the terminal device that has transmitted the access request. Session management means for storing identification information of the terminal device in the first storage means,
And, among the access requests received from the unspecified terminal device, the access request whose identification information of the transmission source terminal device is stored in the first storage means is preferentially selected as the processing target, and preferentially Control means for selecting, as a processing target, an access request from a terminal device whose identification information of a transmission source terminal device is not stored in the first storage means when the total number of selected access requests is less than the upper limit value. An access management program characterized by functioning.

Images