JP2017173889A - Transfer device, transfer method, transfer program, content request processing device, content request processing method, content request processing program, and access processing system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a transfer device, transfer method, transfer program, content request processing device, content request processing method, content request processing program, and access processing system that can prevent an open redirect.SOLUTION: A transfer device includes a reception unit, generation unit, determination unit, and transfer unit. The reception unit receives an access request including information on an access destination and first signature information, from a terminal device. The generation unit generates second signature information from user information that is information corresponding to a user of the terminal device, by a predetermined algorithm. The determination unit determines the validity of the access request on the basis of a result of comparison between the first signature information and second signature information. The transfer unit performs transfer processing for the access request on the basis of a result of the determination made by the determination unit.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a transfer device, a transfer method, a transfer program, a content request processing device, a content request processing method, a content request processing program, and an access processing system.

  In recent years, with the rapid spread of the Internet, advertisement distribution via the Internet has been actively performed. For example, an advertisement that promotes a company or product is displayed at a predetermined position on a web page, and when the advertisement content is clicked, an advertisement that causes a user terminal to access a landing page that is a linked page for the advertisement content Distribution technology is known.

  In such advertisement distribution, in order to grasp the access status to the landing page, before the landing page is received by the user terminal, the access request to the landing page by the user terminal is one or more transfer devices (hereinafter referred to as a redirector). (For example, refer to Patent Document 1).

Special table 2014-517414 gazette

  However, if the redirector is in a state where it can be redirected to an arbitrary page (called open redirect), the information on the access destination has been altered by a third party to a phishing site, and the phishing site is accessed via the redirector. There is a possibility.

  In order to eliminate such vulnerabilities due to open redirection, the redirector may perform a process of determining the legitimacy of an access request using a signature (called a signature). For example, the redirector redirects the user terminal only when the signature generated by the advertisement server from the landing page URL (Uniform Resource Locator) matches the signature generated from the landing page URL by the local device. Has been done.

  However, for example, in a case where advertisement content is distributed from an advertisement server of another administrator G2 in response to an advertisement request made to an advertisement server of a certain administrator G1, the redirector of the administrator G1 You may not know the URL.

  Since the advertisement server generates a signature using a unique algorithm for each administrator, it is difficult for the redirector of the administrator G1 to determine the legitimacy of the access request based on the signature generated by the advertisement server of the administrator G2. . Therefore, it may be difficult to prevent open redirect in the redirector of the administrator G1. This is not limited to the request for access to the landing page of the advertising content, but the same applies to the access request for redirecting to content other than the landing page.

  The present application has been made in view of the above, and includes a transfer device, a transfer method, a transfer program, a content request processing device, a content request processing method, a content request processing program, and an access processing system that can prevent open redirection. The purpose is to provide.

  The transfer device of the present application includes a reception unit, a generation unit, a determination unit, and a transfer unit. The accepting unit accepts an access request including access destination information and first signature information from a terminal device. The generation unit generates second signature information from user information that is information corresponding to a user of the terminal device by a predetermined algorithm. The determination unit determines validity of the access request based on a comparison result between the first signature information and the second signature information. The transfer unit performs transfer processing on the access request based on a determination result by the determination unit.

  According to one aspect of the embodiment, it is possible to provide a transfer device, a transfer method, a transfer program, a content request processing device, a content request processing method, a content request processing program, and an access processing system that can prevent open redirection. .

FIG. 1 is a diagram illustrating an example of access processing according to the embodiment. FIG. 2 is a diagram illustrating a configuration example of the access processing system according to the embodiment. FIG. 3 is a diagram illustrating a configuration example of the first advertisement server. FIG. 4 is a diagram illustrating a configuration example of the second advertisement server. FIG. 5 is a diagram illustrating a configuration example of the first redirector. FIG. 6 is a diagram illustrating a configuration example of the second redirector. FIG. 7 is a flowchart showing a flow of information processing in the first advertisement server according to the embodiment. FIG. 8 is a flowchart illustrating a flow of information processing in the second advertisement server according to the embodiment. FIG. 9 is a flowchart illustrating a flow of information processing in the first redirector according to the embodiment. FIG. 10 is a diagram illustrating an example of a hardware configuration of a computer that executes a program.

  Hereinafter, a mode for carrying out a transfer device, a transfer method, a transfer program, a content request processing device, a content request processing method, a content request processing program, and an access processing system according to the present application (hereinafter referred to as “embodiment”) This will be described in detail with reference to the drawings. The transfer device, the transfer method, the transfer program, the content request processing device, the content request processing method, the content request processing program, and the access processing system according to the present application are not limited by this embodiment.

[1. (Access processing including transfer processing)
The access process according to the embodiment will be described with reference to FIG. FIG. 1 is an explanatory diagram of access processing according to the embodiment. In the present embodiment, the access processing is executed by the access processing system 1.

  The access processing system 1 shown in FIG. 1 includes a user terminal 10, a first advertisement server 20 (an example of a content request processing apparatus and a first content providing apparatus), and a second advertisement server 30 (a content providing apparatus and a second content provision). An example device), a first redirector 40 (an example transfer device), and a second redirector 50.

  The user terminal 10, the first advertisement server 20, the second advertisement server 30, the first redirector 40, and the second redirector 50 are communicably connected via a network by wire or wireless. The first advertisement server 20 and the first redirector 40 are managed by an administrator T1, and the second advertisement server 30 and the second redirector 50 are managed by an administrator T2 different from the administrator T1.

  As shown in FIG. 1, when the user terminal 10 displays the web page W1 on the display unit 11, the user terminal 10 issues an advertisement request for acquiring the advertisement content AD to be displayed in the advertisement space F1 of the web page W1 to the first advertisement server. 20 (step S1).

  The data of the web page W1 (for example, data described in a markup language) includes the URL of the first advertisement server 20 as an access destination URL (Uniform Resource Locator) of the advertisement request. An advertisement request is made with the access destination URL as the destination URL.

  When receiving the advertisement request from the user terminal 10, the first advertisement server 20 determines whether to provide the user terminal 10 with the advertisement content from the first advertisement server 20 or the second advertisement server 30. Here, the description is continued assuming that the first advertisement server 20 has decided to provide the user terminal 10 with the advertisement content from the second advertisement server 30.

  The advertisement request transmitted from the user terminal 10 includes information corresponding to the user of the user terminal 10 (hereinafter referred to as user-related information), and the first advertisement server 20 uses the user-related information. The signature (hereinafter referred to as “SIG2”) is generated (step S2). For example, the first advertisement server 20 performs an operation using the first hash function α (an example of a predetermined algorithm) using the user-related information as input information, and sets the hash value that is the operation result as “SIG2” (the first signature information Example).

  As described above, the user-related information is information included in the advertisement request, and includes, for example, an HTTP (Hypertext Transfer Protocol) cookie (hereinafter simply referred to as a cookie), an IP address of the user terminal 10, an HTTP user agent (hereinafter referred to as “cookie”). , Simply described as a user agent) and link URL generation date and time.

  Further, the user related information may be a salt used when hashing the user information of the user terminal 10, for example. The salt is, for example, a random number generated by a pseudo-random number generator, and is added to the password when the password of the user of the user terminal 10 is hashed by a hash function in the administrator T1 device, for example. Such a salt may be included in a cookie or may be information included in a destination URL (access destination URL) of an advertisement request.

  The first advertisement server 20 transmits a redirect request including “URL (AS2)” and “SIG2” to the user terminal 10 (step S3), and transmits an advertisement request including “SIG2” to the second advertisement server 30. The user terminal 10 is instructed. “URL (AS2)” is the URL of the second advertisement server 30.

  Based on an instruction from the first advertisement server 20, the user terminal 10 transmits an advertisement request including “SIG2” to the second advertisement server 30 (step S4). The second advertisement server 30 determines the advertisement content AD corresponding to the advertisement request as the advertisement content to be distributed. Hereinafter, the URL of the landing page LP of the advertisement content AD is referred to as “URL (LP)”.

  The second advertisement server 30 distributes the advertisement content AD in which the link information including “URL (LP)” and “SIG2” is set to the user terminal 10 (step S5), and the user terminal 10 The advertising content AD received from 30 is displayed in the advertising space F1.

  Thereafter, when the advertisement content AD is selected (clicked) by the user of the user terminal 10 (step S6), the user terminal 10 responds with “URL (LP)” as an access request to the landing page LP. An access request including “SIG2” is transmitted to the first redirector 40 (step S7).

  When receiving the access request including “URL (LP)” and “SIG2”, the first redirector 40 determines the legitimacy of the access request (step S8). Specifically, the first redirector 40 generates a signature from the user-related information acquired from the user terminal 10 using the first hash function α, similarly to the first advertisement server 20. The first redirector 40 determines that the access request is valid when the signature generated by the own device matches “SIG2”.

  Since the first hash function α, which is a signature generation algorithm, is non-public information, the first redirector 40, if the signature generated by its own device matches “SIG2”, the access request is legitimate enough to be reliable. It can be determined that On the other hand, the first redirector 40 determines that the access request is unreliable when the signature generated by the own device and the match with “SIG2” are not obtained.

  When the first redirector 40 determines that the access request is valid, the first redirector 40 performs a transfer process (step S9). Specifically, the first redirector 40 makes a redirect request including “URL (LP)” to the user terminal 10 and transmits the access request including “URL (LP)” to the second redirector 50. The terminal 10 is instructed. In response to this instruction, the user terminal 10 transmits an access request including “URL (LP)” to the second redirector 50 (step S10).

  When the second redirector 50 receives an access request including “URL (LP)”, the second redirector 50 performs a transfer process (step S11). Specifically, the second redirector 50 makes a redirect request including “URL (LP)” to the user terminal 10 to access the web server having the landing page LP corresponding to “URL (LP)”. The user terminal 10 is instructed. In response to such an instruction, the user terminal 10 acquires the landing page LP from the web server using “URL (LP)” as the access destination URL (step S12).

  Thus, in the access processing system 1 according to the present embodiment, the generation algorithm (first hash function α) of the administrator T1 is implemented in the first advertisement server 20, and the first advertisement server 20 A signature is generated from user-related information acquired from the user terminal 10 using the function α.

  When the first redirector 40 of the administrator T1 receives the signature generated by the first advertisement server 20, the first redirector 40 of the user terminal 10 uses the first hash function α implemented by the administrator T1 that manages the own device. A signature is generated from user information. Then, the first redirector 40 determines the legitimacy of the access request by matching with the signature generated by the first redirector 40.

  Therefore, even when the second advertisement server 30 is selected by the first advertisement server 20 as the acquisition destination of the advertisement content and the landing page LP is determined by the second advertisement server 30, the first redirector 40 makes the access request Can be determined.

  Thereby, the administrator T1 side can collect click operations (transition to the landing page LP) on the advertising content AD by the first redirector 40 while preventing open redirection.

  Further, the same effect can be obtained even when the landing page LP of the advertising content AD is changed after the advertising content AD is provided from the second advertising server 30 to the user terminal 10.

  Hereinafter, a specific configuration example of the access processing system 1 will be described. In the following, an example is described in which the second advertisement server 30 includes generating a signature by hashing the URL of the landing page LP with a second hash function β different from the first hash function α.

[2. Access processing system 1]
FIG. 2 is a diagram illustrating a configuration example of the access processing system 1 according to the embodiment. As shown in FIG. 2, the access processing system 1 according to the embodiment includes a first advertisement server 20, a second advertisement server 30, a first redirector 40, a second redirector 50, a web server 60, and a management device. 70.

The first advertisement server 20, the second advertisement server 30, the first redirector 40, the second redirector 50, the web server 60, and the management device 70 are connected to each other via a network 80, and these devices are The plurality of user terminals 10 ₁ to 10 _n (n is an integer of 2 or more) are communicably connected. The network 80 is, for example, a LAN (Local Area Network) or a WAN (Wide Area Network) such as the Internet.

  As described above, the first advertisement server 20, the first redirector 40, the web server 60, and the management device 70 are managed by the administrator T1, and the second advertisement server 30 and the second redirector 50 are managed by the administrator T2. The

The user terminals 10 ₁ to 10 _n (hereinafter may be collectively referred to as the user terminal 10) have a browser, a desktop PC (Personal Computer), a notebook PC, a tablet terminal, a mobile phone, and the like. This is realized by a PDA (Personal Digital Assistant) or the like. In the following the user _U 1 ~U _n user terminals ₁₀ 1 to 10 _n, collectively referred to as user U.

  The user terminal 10 can access the web server 60 via the network 80 and receive web page data (for example, data written in a markup language) from the web server 60. The web page data received from the web server 60 includes the URL of the first advertisement server 20 as the URL of the advertisement request destination, and the user terminal 10 uses the URL of the first advertisement server 20 as the request destination URL. Make an ad request.

  Hereinafter, the first advertisement server 20, the second advertisement server 30, the first redirector 40, and the second redirector 50 will be specifically described with reference to the drawings.

[2.1. First advertising server 20]
FIG. 3 is a diagram illustrating a configuration example of the first advertisement server 20. As shown in FIG. 3, the first advertisement server 20 includes a communication unit 21, a storage unit 22, and a control unit 23 (controller).

  The communication unit 21 is a communication interface that transmits and receives information to and from the network 80, and connects to the network 80 in a wired or wireless manner. The control unit 23 can transmit and receive various types of information to and from the user terminal 10 via the communication unit 21 and the network 80.

  The storage unit 22 includes a user information storage unit 24 and an advertisement content storage unit 25. The user information storage unit 24 stores identification information (user ID) of the user U, attributes of the user U (for example, age, sex), and the like. The advertisement content storage unit 25 stores a plurality of pieces of content information including URL information of landing pages and advertisement content information. In the content information, each advertisement content information is associated with URL information of the landing page.

  The control unit 23 includes a reception unit 26, a determination unit 27, a generation unit 28, and a provision unit 29. The accepting unit 26 accepts an advertisement request from the user terminal 10. Such an advertisement request includes information on an advertising space (for example, the advertising space F1 shown in FIG. 1) (hereinafter referred to as advertising space information) and user related information that is information corresponding to the user of the user terminal 10. It is.

  The advertising space information is, for example, identification information of advertising space (or information such as the size and position of the advertising space), and may be described as “INF (F1)” hereinafter. Further, as described above, the user related information is, for example, cookie information, IP address information of the user terminal 10, user agent information, and link URL generation date / time information. The reception unit 26 acquires user-related information included in the advertisement request.

  The information of the cookie includes, for example, information such as identification information of the user U of the user terminal 10, an attribute of the user U, and an access history of the administrator T1 of the user U to the device. For example, the management device 70 functions as a front-end server that manages the first advertisement server 20, the first redirector 40, and the web server 60, and can transmit and receive cookie information to and from the user terminal 10. The first advertisement server 20 can acquire cookie information from the management device 70.

  The first advertisement server 20 and the first redirector 40 may be an integrated server. In this case, both the first advertisement server 20 and the first redirector 40 can transmit and receive cookies to and from the user terminal 10. it can.

  In addition, the information on the cookie between the user terminal 10 and the first advertisement server 20 and the information on the cookie between the user terminal 10 and the first redirector 40 are associated with the first redirector 40 and stored in the storage unit 22. You can also keep it. In this case, the control unit 23 may acquire information on the cookie between the user terminal 10 and the first advertisement server 20 from the storage unit 22 based on the cookie information between the user terminal 10 and the first redirector 40. it can.

  For example, the IP address of the user terminal 10 is included as a transmission source IP address in the advertisement request, and the reception unit 26 acquires the transmission source IP address as the IP address of the user terminal 10.

  The user agent is information related to the browser of the user terminal 10, and is information included in the header of the HTTP request when the advertisement request is an HTTP request. The user agent information includes information such as the browser name, browser version, OS (Operating System) name and version in which the browser is operating, and language used.

  The link URL generation date / time is, for example, information on the generation date / time of the web page by the web server 60. The web server 60 accepts a request from the user terminal 10 and generates the web page as the link URL generation date / time. Can be included in web page data. As a result, when the user U of the user terminal 10 clicks on the advertisement content set on the web page, the link source information (also referred to as the referrer) including the web page URL and link URL generation date / time information is sent to the landing page. It can be included in the header of the access request and transmitted from the user terminal 10.

  For example, the determination unit 27 identifies the user U of the user terminal 10 from the cookie included in the advertisement request, and stores the user U attribute information (for example, the sex, age, address, interest, etc. of the user U) as user information. Obtained from the unit 24.

  The determination unit 27 determines whether to provide the user terminal 10 with the advertisement content from the first advertisement server 20 or the second advertisement server 30 based on the attribute information of the user U. For example, the determination unit 27 determines the advertisement server so as to increase the advertising revenue for the user U of the user terminal 10 among the first advertisement server 20 and the second advertisement server 30.

  When the determination unit 27 determines to provide the advertisement content from the first advertisement server 20, the determination unit 27 provides the user terminal 10 with the advertisement content stored in the advertisement content storage unit 25 based on the attribute information of the user U. The advertisement content AD1 (hereinafter referred to as the first advertisement content AD1) to be determined is determined.

  When the determination unit 27 determines that the first advertisement content AD1 is provided from the first advertisement server 20, the generation unit 28 generates a signature (hereinafter referred to as “SIG1”) using “URL (LP1)”. . Specifically, the generation unit 28 calculates the hash value by calculating the first hash function α using “URL (LP1)” as input information, and sets the hash value as “SIG1”. “URL (LP1)” is the URL of the landing page LP1 set as the link destination of the first advertisement content AD1.

  On the other hand, when the determination unit 27 determines that the advertisement content is to be provided from the second advertisement server 30, the generation unit 28 uses the user-related information of the user U as a signature (an example of first signature information. Hereinafter, “SIG2”. Generate). Specifically, the generation unit 28 calculates the first hash function α using the user related information as input information to obtain a hash value, and sets the hash value as “SIG2”.

  For example, the generation unit 28 hashes at least one user-related information among the cookie information, the IP address information of the user terminal 10, the user agent information, the link URL generation date and time, and the salt information by the first hash function α. As a result, “SIG2” is generated. Note that “SIG2” can also be generated by hashing a part of any one of the user-related information with the first hash function α.

  The information of the cookie includes, for example, identification information of the user U, and is unique to each user U. Therefore, it can be said that the information specifies the user U. Therefore, by generating “SIG2” using the cookie information, “SIG2” can be set to a unique value for each user U, and the correctness is accurately determined by the first redirector 40 described later. be able to. The generation unit 28 can generate “SIG2” using part or all of the cookie information.

  In addition, when a unique IP address is assigned to each user terminal 10, the IP address of the user terminal 10 becomes unique information for each user U, and thus can be said to be information for identifying the user U. Therefore, “SIG2” can be set to a unique value for each user U by generating “SIG2” using the IP address of the user terminal 10. In addition, when the user terminal 10 is connected to the first advertisement server 20 via a router, for example, the same IP address may be assigned to a plurality of user terminals 10, but the user terminals 10 having the same IP address The number is limited, and the IP address of the user terminal 10 can be said to be information specifying the user U.

  Further, the user agent information includes information such as the browser name, browser version, OS name and version, and language used, and is information according to the state of the user terminal 10. Since the number of user terminals 10 having the same user agent information is narrowed down, the user agent information can also be said to be information that can identify the user U.

  The link URL generation date / time is the date / time when the web page in which the advertisement content is set is generated. By setting the link URL generation date and time with information in units of seconds or a unit smaller than the second unit (for example, 0.1 second), the link URL generation date and time can be used as information for specifying the user.

  The salt is, for example, a random number generated by a pseudo-random number generator, and the salt can be used as information for specifying the user U by increasing the number of digits. The user-related information is not limited to the above-described example, and may be information included in an access request or an advertisement request from the user terminal 10 and can identify the user U. The user related information may be information acquired based on information included in the request from the user terminal 10.

  The user-related information is not limited to uniquely specifying the user U, such as a cookie or an IP address. As described above, the user U information specifies the same user U, or the access date and time of the web page The information which can narrow down the user U by specifying the same user U is included. Even in such a case, it is possible to increase the possibility that “SIG2” varies depending on the user U, and it is possible to accurately determine the validity in the first redirector 40 described later.

  When the determining unit 27 determines that the first advertising content AD1 is provided from the first advertising server 20, the providing unit 29 has link information including “URL (LP1)”, “SIG1”, and “INF (F1)”. Information on the set first advertisement content AD1 is transmitted to the user terminal 10. “INF (F1)” is the advertisement space information as described above.

  If the URL of the first redirector 40 is URL (RD1), the providing unit 29 sets the link information including, for example, “URL (RD1)? URL (LP1) & SIG1 & INF (F1)” which is the access destination URL. Information on one advertisement content AD1 is transmitted to the user terminal 10. When the user terminal 10 receives the information of the first advertisement content AD1 from the first advertisement server 20, the user terminal 10 displays the first advertisement content AD1 in the advertisement space of the web page.

  When the first advertisement content AD1 displayed in the advertisement space is selected (clicked) in this way, the user terminal 10 uses “1” as the access destination URL based on the link information set in the selected first advertisement content AD1. An access request including "URL (RD1)? URL (LP1) & SIG1 & INF (F1)" is sent to the first redirector 40.

  On the other hand, when the determining unit 27 determines that the advertisement content is to be provided from the second advertisement server 30, the providing unit 29 includes a redirect request including “URL (AS2)”, “SIG2”, and “INF (F1)” as access information. Is transmitted to the user terminal 10. “URL (AS2)” is the URL of the second advertisement server 30.

  For example, the providing unit 29 transmits a redirect request including access URL “URL (AS2)? SIG2 & INF (F1)” as access information to the user terminal 10. When receiving the redirect request, the user terminal 10 transmits an advertisement request including “URL (AS2)? SIG2 & INF (F1)” included as an access destination URL in the redirect request to the URL of the second advertisement server 30. As described above, when the determination unit 27 determines to provide the advertisement content from the second advertisement server 30, the advertisement request to the first advertisement server 20 is redirected to the second advertisement server 30.

[2.2. Second advertising server 30]
FIG. 4 is a diagram illustrating a configuration example of the second advertisement server 30. As shown in FIG. 4, the second advertisement server 30 includes a communication unit 31, a storage unit 32, and a control unit 33 (controller).

  The communication unit 31 is a communication interface that transmits and receives information to and from the network 80, and connects to the network 80 by wire or wirelessly. The control unit 33 can transmit and receive various types of information to and from the user terminal 10 via the communication unit 31 and the network 80.

  The storage unit 32 includes a user information storage unit 34 and an advertisement content storage unit 35. The user information storage unit 34 stores identification information (user ID) of the user U, attributes of the user U (for example, age, sex), and the like. The advertisement content storage unit 35 stores information on a plurality of advertisement contents in which the landing page URL is set as link information.

  The control unit 33 includes a reception unit 36, a determination unit 37, a generation unit 38, and a provision unit 39. The reception unit 36 receives an advertisement request from the user terminal 10 redirected by the first advertisement server 20 as described above. When the reception unit 36 receives the advertisement request, the determination unit 37 selects the advertisement content to be provided to the user terminal 10 from the plurality of advertisement contents stored in the advertisement content storage unit 35 (hereinafter referred to as second advertisement content AD2). Decide).

  For example, the determination unit 37 identifies the user U of the user terminal 10 from the cookie included in the advertisement request, and stores the user U attribute information (for example, the gender, age, address, interest, etc. of the user U) as user information. The second advertisement content AD2 is determined based on the attribute information acquired from the unit 34.

  The generation unit 38 generates a signature using “URL (LP2)” (hereinafter, may be described as “SIG3”). Specifically, the generation unit 38 calculates a second hash function β that is different from the first hash function α using “URL (LP2)” as input information to obtain a hash value, and obtains the hash value as “SIG3”. And “URL (LP2)” is the URL of the landing page LP2 set as the link destination of the second advertisement content AD2.

  The providing unit 39 transmits information on the second advertisement content AD2 in which “URL (LP2)”, “SIG2”, “SIG3”, and “INF (F1)” are set as link information to the user terminal 10. For example, when the URL of the first redirector 40 is URL (RD1), the providing unit 39 includes advertisement content information including “URL (RD1)? URL (LP2) & SIG2 & INF (F1) & SIG3” as the access destination URL as link information. Is transmitted to the user terminal 10. When receiving the second advertisement content AD2 from the second advertisement server 30, the user terminal 10 displays the second advertisement content AD2 in the advertisement frame of the web page.

  Thereafter, when the second advertising content AD2 displayed in the advertising space is selected (clicked), the user terminal 10 sends “URL (LP2)” to the first redirector 40 set as the link destination of the second advertising content AD2. And an access request including “SIG2” and “SIG3”. For example, the user terminal 10 makes an access request including “URL (RD1)? URL (LP2) & SIG2 & INF (F1) & SIG3” as the access destination URL to the first redirector 40.

  The operation when the user terminal 10 makes an advertisement request to the second advertisement server 30 based on the redirect request from the first advertisement server 20 as the operation of the control unit 33 has been described. The information of the second advertisement content AD2 can also be transmitted to the user terminal 10 that has made the advertisement request that is not performed.

[2.3. First redirector 40]
FIG. 5 is a diagram illustrating a configuration example of the first redirector 40. As shown in FIG. 5, the first redirector 40 includes a communication unit 41, a storage unit 42, and a control unit 43 (controller).

  The communication unit 41 is a communication interface that transmits and receives information to and from the network 80, and connects to the network 80 in a wired or wireless manner. The control unit 43 can transmit and receive various types of information to and from the user terminal 10 via the communication unit 41 and the network 80.

  The storage unit 42 includes a transfer history storage unit 44. The transfer history storage unit 44 stores a transfer history of access requests that have been subjected to transfer processing described later by the control unit 43 in association with advertisement space information included in these access requests.

  The control unit 43 includes a reception unit 45, a generation unit 46, a determination unit 47, and a transfer unit 48. The accepting unit 45 accepts an access request from the user terminal 10. When the first advertisement content AD1 is clicked as described above, the user terminal 10 accesses, for example, an access request (hereinafter referred to as the first URL) including “URL (RD1)? URL (LP1) & SIG1 & INF (F1)” as the access destination URL. May be described as an access request) to the first redirector 40. The accepting unit 45 accepts the first access request.

  Further, as described above, when the second advertising content AD2 is clicked by the user U, the user terminal 10 includes the second URL including “URL (RD1)? URL (LP2) & SIG2 & INF (F1) & SIG3” as the access destination URL. An access request is transmitted to the first redirector 40. The accepting unit 45 accepts the second access request.

  When the receiving unit 45 receives the first access request, the generating unit 46 describes the signature (hereinafter, “sig1”) using “URL (LP1)” which is the URL of the landing page LP1 of the first advertisement content AD1. May generate). Specifically, the generation unit 46 obtains a hash value by calculation using the first hash function α using “URL (LP1)” as input information, and sets the hash value as “sig1”.

  In addition, when the receiving unit 45 receives the second access request, the generating unit 46 generates a signature (hereinafter, sometimes referred to as “sig2”) using the user-related information included in the second access request. . Specifically, the generation unit 46 calculates the first hash function α using at least one user-related information among the plurality of user-related information included in the second access request as input information to obtain a hash value. The hash value is “sig2”.

  The user-related information used by the generation unit 46 when generating “sig2” is the same as the user-related information used by the generation unit 28. For example, when the generation unit 28 generates “SIG2” using the cookie information, the generation unit 46 also generates “sig2” using the cookie information. When the generation unit 28 generates “SIG2” using the cookie information and the IP address information, the generation unit 46 also generates “sig2” using the cookie information and the IP address information.

  When the reception unit 45 receives the first access request, the determination unit 47 compares “SIG1” included in the first access request with “sig1” generated by the generation unit 46. Then, the determination unit 47 determines that the first access request is valid when “SIG1” and “sig1” match, and the first access when “SIG1” and “sig1” do not match. Determine that the request is unreliable.

  Further, when the receiving unit 45 receives the second access request, the determination unit 47 compares “SIG2” included in the second access request with “sig2” generated by the generating unit 46. Then, the determination unit 47 determines that the second access request is valid when “SIG2” and “sig2” match, and the second access when “SIG2” and “sig2” do not match. Determine that the request is unreliable.

  Note that the determination unit 47 can trust the second access request based on the link URL generation date / time information included in the second access request even when “SIG2” and “sig2” match. It can be further determined whether or not it is a thing. For example, the determination unit 47 can determine that the second access request is not reliable when the date and time after a predetermined time (for example, 10 minutes) from the link URL generation date and time is before the current date and time. On the other hand, the determination unit 47 can determine that the second access request is reliable when the date and time after the predetermined time from the link URL generation date and time is later than the current date and time.

  The transfer unit 48 performs a transfer process for the first access request based on the determination result by the determination unit 47. For example, when the determination unit 47 determines that the first access request is valid, the transfer unit 48 transmits an access request including “URL (LP1)” to the server having the landing page LP1. 10 is instructed. Such an instruction is performed, for example, by transmitting a redirect request including “URL (LP1)” as the access destination URL to the user terminal 10.

  The transfer unit 48 performs a transfer process for the second access request based on the determination result by the determination unit 47. For example, when the determination unit 47 determines that the second access request is valid, the transfer unit 48 transmits an access request including “URL (LP2)” and “SIG3” to the second redirector 50. 10 is instructed. For example, the transfer unit 48 instructs the user terminal 10 to make an access request including “URL (RD2)? URL (LP2) & SIG3” as the link destination URL. On the other hand, when the determination unit 47 determines that the second access request is not valid, the transfer unit 48 does not perform transfer processing for the second access request.

  The transfer unit 48 stores in the transfer history storage unit 44 the transfer history of the first access request and the transfer history of the second access request that have been transferred as described above. The transfer history of the first access request is, for example, the date and time when the first access request is received, the number of received first access requests, the identification information of the user U who made the first access request, and the like. From the transfer history of the first access request, the number of clicks on the first advertisement content AD1 can be grasped.

  Further, the transfer history of the second access request is, for example, the date and time when the second access request is received, the number of received second access requests, the identification information of the user U who made the second access request, and the like. From the transfer history of the second access request, the number of clicks on the second advertisement content AD2 can be grasped.

[2.4. Second redirector 50]
FIG. 6 is a diagram illustrating a configuration example of the second redirector 50. As shown in FIG. 6, the second redirector 50 includes a communication unit 51, a storage unit 52, and a control unit 53 (controller).

  The communication unit 51 is a communication interface that transmits and receives information to and from the network 80, and connects to the network 80 in a wired or wireless manner. The control unit 53 can transmit and receive various types of information to and from the user terminal 10 via the communication unit 51 and the network 80.

  The storage unit 52 includes a transfer history storage unit 54. The transfer history storage unit 54 stores the transfer history of an access request for which a transfer process, which will be described later, has been performed by the control unit 53 in association with the advertising space information included in the access request.

  The control unit 53 includes a reception unit 55, a generation unit 56, a determination unit 57, and a transfer unit 58. The accepting unit 55 accepts an access request from the user terminal 10. For example, the accepting unit 55 accepts an access request including “URL (RD2)? URL (LP2) & SIG3” as the link destination URL from the user terminal 10.

  The generation unit 56 generates a signature (hereinafter referred to as “sig3”) using “URL (LP2)” which is the URL of the landing page LP2. Specifically, the generation unit 56 obtains a hash value by calculation using the second hash function β with “URL (LP2)” as input information, and sets the hash value as “sig3”.

  The determination unit 57 compares “SIG3” included in the access request received by the reception unit 55 with “sig3” generated by the generation unit 56. Then, when “SIG3” and “sig3” match, the determination unit 57 determines that the access request received by the receiving unit 55 is valid, and when “SIG3” and “sig3” do not match The access request is determined to be unreliable.

  The transfer unit 58 performs a transfer process for the access request received by the receiving unit 55 based on the determination result by the determination unit 57. For example, when the determination unit 57 determines that the access request is valid, the transfer unit 58 makes a redirect request including “URL (LP2)” to the user terminal 10 as an access request to the landing page LP2. The user terminal 10 is instructed to transmit an access request including “URL (LP2)” as the access destination URL to the server of the landing page LP1. On the other hand, when the determination unit 57 determines that the access request is not valid, the transfer unit 58 does not perform transfer processing for the access request.

  The transfer unit 58 stores, in the transfer history storage unit 54, a history of access requests that have been transferred as described above. The access request history includes, for example, the access request reception date and time, the number of access request receptions, the identification information of the user U who made the access request, and the like. From the access request history, the number of clicks on the second advertisement content AD2 can be grasped.

[3. Processing flow of access processing system 1]
First, an information processing procedure in the first advertisement server 20 will be described with reference to FIG. FIG. 7 is a flowchart showing a flow of information processing in the first advertisement server 20, and such processing is repeatedly executed.

  As shown in FIG. 7, the control unit 23 of the first advertisement server 20 determines whether or not there is an advertisement request from the user terminal 10 to the first advertisement server 20 (step S10). If it determines with there being an advertisement request (step S10; Yes), the control part 23 will determine the advertisement server used as the provision destination of advertisement content (step S11).

  When the advertisement server determined as the advertisement content providing destination is the first advertisement server 20 (step S12; Yes), the control unit 23 determines the first advertisement content AD1 to be provided to the user terminal 10 (step S13). . Further, the control unit 23 generates a signature (“SIG1”) from “URL (LP1)” that is the URL of the landing page LP1 of the first advertisement content AD1 (step S14). Thereafter, the control unit 23 transmits information of the first advertisement content AD1 in which link information including “SIG1”, “URL (LP1)”, and “INF (AD1)” is set to the user terminal 10 (step S15). .

  On the other hand, when the advertisement server determined as the advertisement content providing destination is the second advertisement server 30 (step S12; No), the control unit 23 obtains a signature ("" from the user related information included in the advertisement request of the user terminal 10). SIG2 ") is generated (step S16). Then, the control unit 23 transmits a redirect request including “URL (AS2)”, “SIG2”, and “INF (F1)” as access information to the user terminal 10 (step S17).

  When it determines with there being no advertisement request in step S10 (step S10; No), when the process of step S15 is complete | finished and when the process of step S17 is complete | finished, the control part 23 complete | finishes the process shown in FIG. .

  Next, the procedure of information processing in the second advertisement server 30 will be described with reference to FIG. FIG. 8 is a flowchart showing a flow of information processing in the second advertisement server 30, and such processing is repeatedly executed.

  As shown in FIG. 8, the control unit 33 of the second advertisement server 30 determines whether or not there is an advertisement request from the user terminal 10 to the second advertisement server 30 (step S20). When determining that there is an advertisement request (step S20; Yes), the control unit 33 determines the second advertisement content AD2 to be transmitted to the user terminal 10 (step S21).

  Next, the control unit 33 generates a signature (“SIG3”) from “URL (LP2)” that is the URL of the landing page LP2 that is the link destination of the second advertisement content AD2 (step S22). And the control part 33 is "SIG2", "SIG3", and "URL (LP2)." Information of the second advertisement content AD2 in which the link information including “INF (F1)” is set is transmitted to the user terminal 10 (step S23).

  Next, an information processing procedure in the first redirector 40 will be described with reference to FIG. FIG. 9 is a flowchart showing a flow of information processing in the first redirector 40, and such processing is repeatedly executed.

  As shown in FIG. 9, the control unit 43 of the first redirector 40 determines whether or not there is an access request from the user terminal 10 (step S30). If it determines with there being an access request (step S30; Yes), the control part 43 will determine whether an access request is a 1st access request (step S31). In such processing, the control unit 43 can determine whether the request is a first access request based on the type information included in the signature, for example.

  If it is determined that the access request is the first access request (step S31; Yes), the control unit 43 generates “sig1” using “URL (LP1)” included in the first access request (step S32). .

  Then, the control unit 43 compares “SIG1” included in the first access request with the generated “sig1” (step S33), and determines whether the first access request is valid based on the comparison result. Determination is made (step S34). In this process, the control unit 43 determines that the first access request is valid when “SIG1” and “sig1” match. When it is determined that the first access request is valid (step S34; Yes), the control unit 43 performs a transfer process for the second access request (step S35).

  When determining that the access request is the second access request and not the first access request (step S31; No), the control unit 43 generates “sig2” using the user-related information in the second access request (step S36). ). Then, the control unit 43 compares “SIG2” included in the second access request with the generated “sig2” (step S37), and determines whether the second access request is valid based on the comparison result. Determination is made (step S38).

  In the process of step S38, the control unit 43 determines that the second access request is valid when “SIG2” and “sig2” match. When it is determined that the second access request is valid (step S38; Yes), the control unit 43 performs a transfer process for the second access request (step S39).

  When it is determined that there is no access request from the user terminal 10 (step S30; No), when it is determined that the first access request is not valid (step S34; No), when it is determined that the second access request is not valid (Step S38; No), when the processes of Steps S35 and S39 are completed, the control unit 43 ends the process shown in FIG.

[4. (Modification)
In the embodiment described above, the first redirector 40 is described as performing a redirect request including “URL (LP1)” and “SIG3” to the user terminal 10 when it is determined that the first access request is valid. However, “SIG2” may be included in the redirect request. In this case, such “SIG2” is transferred without being considered in the second redirector 50.

  Moreover, although embodiment mentioned above demonstrated the example in which a transfer process is performed in order of the 1st redirector 40 and the 2nd redirector 50, it is not limited to this example. That is, similar processing can be performed even when transfer processing is performed in the order of the second redirector 50 and the first redirector 40. In this case, the link information of the second advertisement content AD2 includes, for example, “URL (RD2)? URL (LP1) & SIG2 & INF (F1)” as the access destination URL. The transfer unit 58 of the second redirector 50 transmits a redirect request including “URL (RD1)? URL (LP1) & SIG2 & INF (F1)” as an access destination URL to the user terminal 10. Thereby, an access request including “SIG2” is transmitted from the user terminal 10 to the first redirector 40.

  In the above-described embodiment, the hash value of one or more user-related information is used as a signature. However, the present invention is not limited to this example, and the algorithm is not limited as long as a signature can be generated from one or more user-related information. .

  Moreover, the control part 23 of the 1st advertisement server 20 and the control part 43 of the 1st redirector 40 can change the algorithm and user related information which are used for signature generation for every predetermined period, for example.

  In the above-described embodiment, the control unit 43 of the first redirector 40 specifies the clicked advertisement space based on the advertisement space information (for example, “INF (F1)”), but the link source included in the access request It is also possible to specify the clicked advertisement space from information (also referred to as a referrer).

  In the above-described embodiment, the example in which the access request to the landing page linked to the second advertisement content AD2 is transferred has been described. However, the present invention is not limited to this example. For example, it may be anything that transfers an access request to content linked to a certain content, and may be a web page or game content instead of the advertising content. The linked content is not limited to a web page, and may be advertising content or game content. That is, the access processing system 1 of the present application can be applied as long as it can grasp the access to the link destination.

  In the above-described embodiment, the access request including the signature (for example, “SIG1”, “SIG2”, “SIG3”) in the link destination URL has been described as an example. However, the signature is included in the cookie, for example. It may be.

  The generation unit 28 of the first advertisement server 20 can add expiration date information (hereinafter referred to as “TIME”) as a signature. The expiration date is set, for example, after a predetermined time (for example, after 10 minutes) from the current date and time. For example, the providing unit 39 can include “SIG1” and “TIME” as signatures in the link information, or include “SIG2” and “TIME” as signatures in the link information.

  In this case, the determination unit 47 of the first redirector 40 can trust the access request based on “TIME” included in the first access request and the second access request in addition to “SIG1” and “SIG2”. Can be determined.

  For example, when “TIME” included in the second access request is set to information on an expiration date after the current time, the determination unit 47 determines that the access request is reliable. On the other hand, when the information on the expiration date before “TIME” included in the second access request is set, the determination unit 47 determines that the access request is not reliable.

[5. Hardware configuration)
The first advertisement server 20, the second advertisement server 30, the first redirector 40, and the second redirector 50 in the above-described embodiment are realized by, for example, the computer 200 configured as shown in FIG. .

  FIG. 10 is a diagram illustrating an example of a hardware configuration of a computer that executes a program. A computer 200 includes a central processing unit (CPU) 201, a random access memory (RAM) 202, a read only memory (ROM) 203, a hard disk drive (HDD) 204, a communication interface (I / F) 205, an input / output interface (I / F). F) 206 and a media interface (I / F) 207.

  The CPU 201 operates based on a program stored in the ROM 203 or the HDD 204 and controls each unit. The ROM 203 stores a boot program executed by the CPU 201 when the computer 200 is started up, a program depending on the hardware of the computer 200, and the like.

  The HDD 204 stores data used by programs executed by the CPU 201. The communication interface 205 corresponds to each of the communication units 21, 31, 41, 51, receives data from other devices via the network 80, sends the data to the CPU 201, and sends the data generated by the CPU 201 to the other via the network 80. To the device.

  The CPU 201 controls an output device such as a display and a printer and an input device such as a keyboard and a mouse via the input / output interface 206. The CPU 201 acquires data from the input device via the input / output interface 206. Further, the CPU 201 outputs the generated data to the output device via the input / output interface 206.

  The media interface 207 reads a program or data stored in the recording medium 208 and provides it to the CPU 201 via the RAM 202. The CPU 201 loads the program from the recording medium 208 onto the RAM 202 via the media interface 207, and executes the loaded program. The recording medium 208 is, for example, an optical recording medium such as a DVD (Digital Versatile Disc) or PD (Phase change rewritable disk), a magneto-optical recording medium such as an MO (Magneto-Optical disk), a tape medium, a magnetic recording medium, or a semiconductor memory. Etc.

  When the computer 200 functions as the first advertisement server 20, the CPU 201 of the computer 200 executes a program loaded on the RAM 202, thereby receiving the reception unit 26, the determination unit 27, the generation unit 28, and the provision unit illustrated in FIG. 3. 29 functions are realized. The accepting unit 26, the determining unit 27, the generating unit 28, and the providing unit 29 may be partially or entirely configured by hardware such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA). .

  When the computer 200 functions as the second advertisement server 30, the CPU 201 of the computer 200 executes a program loaded on the RAM 202, thereby receiving the reception unit 36, the determination unit 37, the generation unit 38, and the like illustrated in FIG. 4. Each function of the providing unit 39 is realized. The accepting unit 36, the determining unit 37, the generating unit 38, and the providing unit 39 may be partially or entirely configured by hardware such as an ASIC or FPGA.

  Further, when the computer 200 functions as the first redirector 40, the CPU 201 of the computer 200 executes the program loaded on the RAM 202, whereby the reception unit 45, the generation unit 46, the determination unit 47, and the transfer illustrated in FIG. Each function of the unit 48 is realized. Note that a part or all of the reception unit 45, the generation unit 46, the determination unit 47, and the transfer unit 48 may be configured by hardware such as an ASIC or FPGA.

  Further, when the computer 200 functions as the second redirector 50, the CPU 201 of the computer 200 executes a program loaded on the RAM 202, whereby the reception unit 55, the generation unit 56, the determination unit 57, and the transfer illustrated in FIG. Each function of the unit 58 is realized. Note that the reception unit 55, the generation unit 56, the determination unit 57, and the transfer unit 58 may be partially or entirely configured by hardware such as an ASIC or FPGA.

  The CPU 201 of the computer 200 reads the auction program from the recording medium 208 and executes it, but as another example, the program may be acquired from another device via the network 80.

  The HDD 204 corresponds to each of the storage units 22, 32, 42, 52 and stores data similar to that of the storage units 22, 32, 42, 52. Further, instead of the HDD 204, a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, or a storage device such as an optical disk may be used.

[6. effect〕
The first redirector 40 (an example of a transfer device) according to the embodiment includes a reception unit 45, a generation unit 46, a determination unit 47, and a transfer unit 48. The receiving unit 45 receives a second access request (for example, “URL (LP2)”) and “SIG2” (an example of first signature information) from the user terminal 10 (an example of a terminal device). An example of an access request is received. The generation unit 46 generates “sig2” (an example of second signature information) from user-related information (an example of user information) that is information corresponding to the user U of the user terminal 10 using the first hash function α (an example of a predetermined algorithm). ) Is generated. The transfer unit 48 determines the validity of the second access request based on the comparison result between “SIG2” and “sig2”. The transfer unit 48 performs a transfer process for the second access request based on the determination result by the determination unit 47. As a result, even if the landing page is not known by the device on the administrator T1 side, the validity of the access request can be determined by the first redirector 40, so that open redirection can be prevented. .

  Further, when the determination unit 47 determines that the transfer unit 48 is valid, the transfer unit 48 transmits an access request to the second redirector 50 (an example of another transfer device) or the landing page LP2 server (access destination device). A transfer process instructing the user terminal 10 to perform is performed. On the other hand, the transfer unit 48 does not perform the transfer process when the determination unit 47 does not determine that the data is valid. As described above, since the transfer process of the access request having no legitimacy is not performed, open redirection can be prevented. For example, when a malicious third party knows information on an access destination URL including “URL (RD1)” and “SIG2” at his / her user terminal 10 and pastes the access URL into a spam mail. However, “SIG2” included in the access destination URL is different from “SIG2” obtained from the user related information of the user terminal 10 of the user U who browses the spam mail. For this reason, it is determined that the access request has no legitimacy, and transfer processing of the access request is not performed.

  The second access request from the user terminal 10 includes user related information, and the determination unit 47 generates “sig2” from the user related information included in the second access request by using the first hash function α. Thus, since “sig2” is generated using the user-related information included in the second access request, the legitimacy of the access request can be easily grasped.

  The user-related information includes at least one information of the IP address of the user terminal 10, the link URL generation date / time (an example of the access source web page generation date / time), the cookie output from the user terminal 10, and the user agent. In this way, since information that can uniquely identify the user U or within a certain predetermined range is used, the uniqueness of “sig2” can be increased, and open redirection can be accurately prevented.

  The access processing system 1 of the present application includes a first advertisement server 20 (an example of a first content providing apparatus), a second advertisement server 30 (an example of a second content providing apparatus), and a first redirector 40. When there is a content request from the user terminal 10, the first advertisement server 20 generates “SIG2” from the user-related information using the first hash function α, and sends a content request including “SIG2” to the second advertisement server 30. The user terminal 10 is instructed to do so. In response to a content request including “SIG2” from the user terminal 10, the second advertisement server 30 sets “SIG2” and “URL (LP2)” (an example of link destination information). Information on AD2 (an example of content) is provided to the user terminal 10. The receiving unit 45 of the first redirector 40 receives information (an example of link destination information) including “URL (LP2)” as access destination information from the user terminal 10. As a result, it is possible to provide the access processing system 1 that can prevent open redirection even when the landing page is not known by the device on the administrator T1 side.

  The first advertisement server 20 (an example of a content request processing device) includes a reception unit 26, a generation unit 28, and a provision unit 29. The accepting unit 26 accepts a content request from the user terminal 10 (an example of a terminal device). When the content request is received by the reception unit 26, the generation unit 28 is user information that is information corresponding to the user of the user terminal 10 (an example of a terminal device) by the first hash function α (an example of a predetermined algorithm). “SIG2” (an example of signature information) is generated. The providing unit 29 provides access information including “SIG2” generated by the generating unit 28 to the user terminal 10. As a result, the information including “SIG2” can be notified from the user terminal 10 to the access destination device (for example, the second advertisement server 30).

  As described above, some of the embodiments of the present application have been described in detail based on the drawings. It is possible to implement the present invention in other forms with improvements.

  In addition, the first advertisement server 20, the second advertisement server 30, the first redirector 40, and the second redirector 50 described above may be realized by a plurality of server computers, respectively. The configuration can be flexibly changed, for example, by calling (Application Programming Interface) or network computing.

  Moreover, the above-mentioned “section (module, unit)” can be read as “means”, “circuit”, and the like. For example, the transfer unit can be read as transfer means or a transfer circuit.

1 access processing system 10, 10 ₁ to 10 _n user terminal 20 first advertisement server (an example of a content request processing device and a first content providing device)
21, 41 Communication unit 22, 42 Storage unit 23, 43 Control unit 24 User information storage unit 25 Advertising content storage unit 26, 45 Reception unit 27 Determination unit 28, 46 Generation unit 29 Providing unit 30 Second advertising server (content providing device) And an example of the second content providing device)
40 First redirector (an example of a transfer device)
44 Transfer history storage unit 47 Judgment unit 48 Transfer unit 50 Second redirector 60 Web server

Claims (10)

A receiving unit that receives an access request including access destination information and first signature information from a terminal device;
A generating unit that generates second signature information from user information that is information corresponding to a user of the terminal device according to a predetermined algorithm;
A determination unit that determines validity of the access request based on a comparison result between the first signature information and the second signature information;
Based on the determination result by the determination unit, a transfer unit that performs a transfer process for the access request;
A transfer device comprising: The transfer unit
When the determination unit determines that the data is valid, the transfer unit instructs the terminal device to transmit an access request to another transfer device or the access destination device. The transfer apparatus according to claim 1, wherein the transfer process is not performed when it is determined that there is not. The access request from the terminal device includes the user information,
The determination unit
The transfer apparatus according to claim 1, wherein the second signature information is generated from the user information included in the access request by the predetermined algorithm. The user information is
The IP address of the terminal device, the generation date and time of the web page of the access source, the information output from the terminal device, and at least one information of the user agent are included. The transfer device described in 1. An access processing system comprising the transfer device according to any one of claims 1 to 4, a first content providing device, and a second content providing device,
The first content providing apparatus includes:
When there is a content request from the terminal device, the second signature information is generated from the user information by the predetermined algorithm, and a content request including the second signature information is made to the second content providing device. Instructing the terminal device;
The second content providing device includes:
In response to the content request including the second signature information from the terminal device, providing the terminal device with the second signature information and content information in which link destination information is set,
The receiving unit of the transfer device is
An access processing system that receives information including the link destination information as the access destination information from the terminal device. A reception unit for receiving a content request from a terminal device;
A generating unit that generates signature information from user information that is information corresponding to a user of the terminal device by a predetermined algorithm when the content request is received by the receiving unit;
A content request processing apparatus comprising: a providing unit that provides access information including the signature information generated by the generating unit to the terminal device. A transfer method executed by a computer,
An accepting step of accepting an access request including access destination information and first signature information from a terminal device;
Generating a second signature information from user information which is information corresponding to a user of the terminal device by a predetermined algorithm;
A determination step of determining validity of the access request based on a comparison result between the first signature information and the second signature information;
A transfer step of performing a transfer process for the access request based on the determination result of the determination step;
A transfer method comprising: A content request processing method executed by a computer,
A reception process for receiving a content request from a terminal device;
A generation step of generating signature information from user information which is information corresponding to a user of the terminal device by a predetermined algorithm when the content request is received by the reception step;
A providing step of providing access information including the signature information generated by the generating step to the terminal device;
A content request processing method comprising: A reception procedure for receiving an access request including access destination information and first signature information from the terminal device;
A generation procedure for generating second signature information from user information which is information corresponding to a user of the terminal device by a predetermined algorithm;
A determination procedure for determining the legitimacy of the access request based on a comparison result between the first signature information and the second signature information;
A transfer procedure for performing a transfer process for the access request based on the determination result of the determination procedure;
A transfer program for causing a computer to execute. An acceptance procedure for accepting a content request from a terminal device;
A generation procedure for generating signature information from user information, which is information corresponding to a user of the terminal device, by a predetermined algorithm when the content request is received by the reception procedure;
A providing procedure for providing access information including the signature information generated by the generating procedure to the terminal device;
A content request processing program for causing a computer to execute the above.

Images