JP5043361B2 - Session management program and device with WEB server function - Google Patents

Description

  The present invention relates to a program for managing a session between a WEB server function-equipped device and a client terminal, and a WEB server function-equipped device that executes the program. More specifically, the present invention relates to a program for managing a session with a client terminal that accesses a computer from a remote location via the Internet network and giving a function for preventing unauthorized access to a device equipped with a WEB server function.

  As shown in FIG. 5, the relationship between the WEB server function-equipped device 1 and the client terminal 2 is a relationship for performing communication via the Internet network 3. In the Internet 3, there is a high risk that a third party intercepts communication contents and illegally accesses the WEB server function-equipped device 1. Therefore, conventionally, as shown in FIG. 6, when a client terminal accesses, a user authentication WEB page is displayed on the client terminal, and user information for user authentication is input to the client terminal side, so that the user authentication is performed. Only when it is confirmed, a method of permitting browsing / operation of subsequent WEB pages is adopted.

However, if the URL of the WEB page after authentication is detected by interception, a third party can directly access the WEB page. In order to prevent this, conventionally, as shown in FIG. 7, a program in which the WEB server function-equipped device 1 performs session management using a cookie function has been proposed (for example, Patent Document 1). Here, at the time of authentication, the first WEB page 51 is provided to the client terminal 2, and at the same time, the file 52 describing the session information is stored in the memory of the client terminal 2. After the authentication, the WEB server function-equipped device 1 receives the request data with the session information from the client terminal 2 and transmits the next WEB page 51 corresponding to the client request to the client terminal 2.
Please refer to “http://home.netscape.com/newsref/std/cookie_spec.html” for details on the above cookies.
JP-A-2005-122864

However, the conventional session management program has the following problems.
1. Since session management is performed using cookies, a client terminal 2 having a WEB browser that does not support cookies, such as a mobile phone, a PDA, an inexpensive personal computer, or the like cannot access the WEB server function-equipped device 1.

2. Since a session end request is not always transmitted from the client terminal 2, it is necessary to end the session when a predetermined time has elapsed. If this session time is set long, the WEB server function-equipped device 1 not only consumes a large amount of memory in one session, but also gives a third party an opportunity for unauthorized access for a long time. On the other hand, if the session time is too short, the session ends while data is being input on the client terminal 2 side, and the operability deteriorates.

3. In addition, since the WEB page data and session time are managed by a program directly belonging to the OS of the device 1 with the WEB server function, it is necessary to change the program when changing the WEB page or changing the session time. It takes time and effort.

  The object of the present invention is to make it possible to efficiently manage a session with a small amount of memory consumption, and to prevent unauthorized access by a third party reliably, by targeting a client terminal that does not support cookies. Another object of the present invention is to provide a WEB server function-equipped device equipped with a new program and the new program.

  In view of the above-mentioned problems, the present inventors have conducted intensive studies and have found that the above object can be achieved by managing a session between a WEB server function-equipped device and a client terminal via the Internet network by a new procedure. The heading and the following means (a) to (h) are proposed.

(A) A session management program for setting a session valid time for each WEB page provided to a client terminal that does not support cookies via the Internet network from a device equipped with a WEB server function.

(B) A session management program that updates a session key unique to a client terminal each time a WEB page is switched.

(C) A client terminal that does not support cookies is a mobile phone, PDA (Personal
Digital Assistants (also known as a portable information terminal), or a notebook or desktop personal computer session management program.

(D) A session management program for setting the valid time to a length corresponding to the operation time of the WEB page by the client terminal.

(E) A session management program for setting the valid time from 0 seconds to 15 minutes.

(F) A session management program for setting the valid time based on information specified in advance in the WEB page data.

(G) Processing for checking authentication information received from the client terminal, processing for issuing a session key unique to the authenticated client terminal, storing session information including the session key, and WEB page data provided to the client terminal , Processing for setting the valid time of a session designated in advance in the WEB page data in the session information, processing for generating WEB page transmission data by embedding the session key in the WEB page data, and WEB page transmission A process of transmitting data to the client terminal, a process of monitoring the elapse of the valid time set in the session information, a session key in the request data received from the client terminal within the valid time, and a session key in the session information Process to check for matches and If the request is accepted, processing for reissuing a new session key to update session information, processing for responding to a request from the client terminal specified in the request data, and request data from the client terminal within the valid time A session management program comprising a process of deleting session information when it is not received.

(H) A WEB server function-equipped device including a recording medium for recording the session management program according to any one of (a) to (g).

Here, “client terminal” means a device that can access a device equipped with a WEB server function and does not support cookies. For example, a mobile phone, a PDA, or a notebook or disk A top-type personal computer can be used.

The “WEB server function-equipped device” is a computer device having a function as a WEB server. Specifically, a server computer in which an OS (Operating System) is installed or a server computer in which an OS is not installed is used. For example, a centralized management computer that centrally controls and manages electric devices such as lighting fixtures, air conditioners, and security cameras installed at many locations in homes and offices.

“Session information” is information stored in the memory of the WEB server function-equipped device in an updatable manner. Specifically, “session key”, “session key issue time”, “session valid time”, It is data including.

The “session key” is a key composed of a random value issued to authenticate the client terminal by the WEB server function-equipped device, and means information (key) that can be recognized only by the client terminal and the WEB server function-equipped device. The client terminal transmits some request data including the session key to the WEB server function-equipped device, and the WEB server function-equipped device checks only the session key in the received data and then executes only the request having the correct session key.

“Issuance time of session key” is a time at which a device with a WEB server function issues a session key. The WEB server function-equipped device issues a first session key after authenticating the client terminal, generates session information including the time when the key is issued, and stores the session information in the memory. Each time the WEB page is switched, a new session key is reissued, and the session information is updated including the issue time.

“Session valid time” is the time during which session information including a session key survives in the memory of the device with the WEB server function. The WEB server function-equipped device reads the time information described in advance from the WEB page data, sets it in the session information, and monitors the session with the client terminal based on the session key issuance time and valid time To do. The valid time is set finely for each WEB page by estimating the time required for input and browsing on the client terminal side. When this valid time elapses, the WEB server function-equipped device deletes the session information from the memory. The valid time varies from web page to web page, but can be exemplified from 0 seconds to 15 minutes.

The session management program of the present invention changes the value of the session key every time the client terminal requests some processing (WEB page switching, etc.) from the WEB server function-equipped device, and further sets the time required for the operation of the WEB page to the session. It is set as the valid time. For this reason, shortening the time that the session key remains the same value in the session information, limiting the opportunity for a third party to intercept the session key, and even if intercepted, terminate the session in a short time, and unauthorized access Can be made extremely low.

In addition, by setting the time required for the operation of the WEB page as an effective time, the device equipped with the WEB server function can reduce the memory occupied time by the session information comprehensively without deteriorating the user operability. , Avoid wasting memory. Therefore, the memory mounted on the WEB server function-equipped device can be a lower-capacity memory, and the WEB server function-equipped device can be manufactured at low cost.

Furthermore, because the session valid time is specified in the WEB page data and separated from the program of the WEB server function-equipped device, the burden on the WEB server function-equipped device can be reduced when changing the WEB page or session information. Can do.

  Next, preferred embodiments of the present invention will be described with reference to the drawings. As shown in FIG. 1, the WEB server function-equipped device 1 is connected to the client terminal 2 via the Internet network 3 and provides the client terminal 2 with a WEB page 4 according to a user request. The WEB page 4 is stored in a memory (not shown) of the WEB server function-equipped device 1 in a predetermined file format, and the time required for the page operation by the user is described in advance as the session valid time in each WEB page data 5. Has been.

The client terminal 2 transmits user authentication and other request data to the WEB server function-equipped device 1 from the WEB browser. The request data includes a session key unique to the client terminal 2 in addition to the user authentication request. The session key is provided to the client terminal 2 from the WEB server function-equipped device 1 in a form embedded in the WEB page 4.

The server processing unit 6 of the WEB server function-equipped device 1 performs a user authentication check and a session check on the request data received from the client terminal 2, and generates, updates, etc. a memory for storing session information only when it matches. Perform the process. At the time of this user authentication, the server processing unit 6 creates session information including the session key provided to the client terminal 2, the session key issuance time, and the session valid time read from the WEB page data 5. Register the file 7 in the designated area of the memory. After the user authentication, the server processing unit 6 deletes the session information file 7 from the memory when the session valid time has elapsed.

The client terminal 2 shown in FIGS. 1 and 2 includes a computer that does not support cookies, specifically a mobile phone, a PDA, or a laptop or desktop personal computer.

Next, the detailed configuration of the session management program will be described with reference to FIG.
Step S1:
User information is input from the WEB browser of the client terminal 2 and user authentication information is transmitted to the WEB server function-equipped device 1.

Step S2:
The WEB server function-equipped device checks the received user authentication information (S2-1). If authentication is successful, a session key is issued, and session information is generated based on the session key. At the same time, WEB page data provided to the client terminal is read, and a session information file 7 is created by adding the session valid time described in the WEB page data (S2-2). Thereafter, the issued session key is embedded in the WEB page data, and WEB page transmission data is generated (S2-3). Then, the WEB page is transmitted to the client terminal via the Internet network (S2-5). If user authentication cannot be performed, WEB page transmission data indicating the error content is generated (S2-4), and the error page is transmitted to the client terminal.

Step S3:
The client terminal displays the WEB page data received from the WEB server function-equipped device on the WEB browser (S3-1). When a WEB page indicating an error is displayed on the display unit of the client terminal (S3-2), the user tries user authentication again as necessary. When the WEB page indicating the completion of authentication is displayed, the user performs a predetermined operation / input designated on the WEB page (S3-3), and creates the next request data. At this time, the session key in the WEB page is incorporated in the request data created by the user.

Step S4:
The WEB server function-equipped device receives the request data including the session key, and checks whether or not the received session key matches the session key described in the session information file 7 (S4-1). If they match, the session key is reissued, and the session key and issue time in the session information are updated (S4-2). After that, processing to respond to the request from the client terminal specified in the request data is executed, and according to the execution result, the WEB page data to be provided to the client terminal is read next, and the session specified in the data is valid Set time in session information. Then, the reissued session key is embedded in the WEB page data, WEB page transmission data is generated (S4-3), and the WEB page is transmitted to the client terminal. On the other hand, if a session key mismatch is confirmed by the session check, WEB page transmission data indicating the error content is generated (S4-4), and the error page is transmitted to the client terminal.

Step S5:
After transmitting the WEB page, the WEB server function-equipped device monitors the elapsed time of the current session based on the session key issuance time and valid time in the session information (S5-1). When there is no request from the client terminal within the valid time, the current session information 7 is deleted from the memory to invalidate the session key (S5-2), and when there is a request from the client terminal within the valid time Repeat the session check.

Step S6:
When the WEB server function-equipped device confirms the timeout and terminates the session, the WEB browser of the client terminal determines that the WEB server function-equipped device does not respond (S6), and displays that fact on the display unit of the client terminal. , Prompt users to re-authenticate.

The session management program configured as described above has a function for embedding a session key in WEB page transmission data and managing the session key in order to reduce the burden on the WEB server function-equipped device due to the change of the WEB page. Separate from other programs. For example, as shown in FIG. 3, the session key is represented by a tag 8 (“% 00”) in a predetermined format in HTML-format WEB page data 5, and the WEB server function-equipped device stores the WEB page data 5. When reading, the web page transmission data is created by replacing the tag 8 with a session key.

As shown in FIG. 4, the WEB page data 5 is designated by a tag 9 (“$ 00”) having a predetermined session valid time. Then, when the WEB server function-equipped device reads the WEB page data 5, the time required for the page operation (“60” seconds) is extracted, and the value is set as the session valid time in the session information. When switching WEB pages, the time ("180" seconds) corresponding to the page operation is read from another WEB page data 5, the valid time is changed, and this valid time is changed to the session key ("2541") and its issue time. ("999999") and the session information file 7 is updated, and a new WEB page transmission data file 10 is generated. As a result, the effective time can be set finely for each WEB page, the memory occupation time per session can be shortened, the total memory consumption of the device equipped with the WEB server function can be reduced, and the memory can be used effectively. It becomes possible to use a personal computer with a small capacity as a server device.

When a session key is issued, a random value that does not overlap with an existing session key in the WEB server function-equipped device is assigned to the session key. The session key is issued at the time of generating session information after user authentication (see FIG. 2: S2-2) and the time of updating session information after successful session check (see FIG. 2: S4-2). The value of this session key changes each time the WEB page is switched. Furthermore, since the valid time of one session key is the time required for the operation of the WEB page of the client terminal, the time for switching the session key is the minimum necessary. It is possible to reduce the time for holding the value of the session key, and even when a third party detects the session key, it cannot be used to prevent unauthorized access.

  Therefore, it is apparent from the above description related to the present invention that the object of the present invention can be effectively achieved. The above-described embodiments are merely illustrative and should not be construed as limiting, as other elements may be altered, modified, or changed without departing from the scope or spirit of the invention. The scope or spirit of the invention is limited only by the appended claims.

Since it has the following features (i) to (iv), according to the WEB server function-equipped device equipped with the session management program of the present invention, the WEB server function-equipped device and many clients via the Internet network Sessions with the terminal can be managed safely without being intercepted by a third party.

Furthermore, as a computer used for the WEB server function-equipped device of the present invention, a relatively inexpensive computer with a small memory capacity can be used, and its maintenance is simple. Therefore, the present invention provides an industrially safe and inexpensive WEB page providing system.

(I) The WEB server function-equipped device of the present invention can use, as a client terminal, a computer such as a mobile phone, a PDA, or a notebook or desktop personal computer that does not support cookies.

(Ii) The WEB server function-equipped device of the present invention updates the session key every time a processing request (WEB page switching) is made from the client terminal to the WEB server function-equipped device, and the user is required for operations on the WEB page. By setting the time corresponding to the set time as the effective time of the session, the time during which the session key in the session information keeps the same value can be shortened and third party access can be prevented.

(Iii) The device with the WEB server function according to the present invention sets the time required for the operation of the WEB page as the effective time, so the total time occupied by the memory by the session information can be integrated without deteriorating the user operability. Can be shortened to avoid wasting memory.

(Iv) Since the WEB server function-equipped device of the present invention specifies the valid time of the session in the data of the WEB page, it reduces the burden on the WEB server function-equipped device when changing the WEB page or the valid time. be able to.

It is a conceptual diagram which shows the session management system in connection with this invention. It is a flowchart which shows the session management gram concerning this invention. It is explanatory drawing of the WEB page data in connection with this invention. It is explanatory drawing which shows the setting method of the session key and session valid time concerning this invention. It is a conceptual diagram which shows the general communication form of a client terminal and a WEB server function loading apparatus. It is explanatory drawing which shows the authentication method of the conventional client terminal. It is a conceptual diagram which shows the conventional session management method.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 WEB server function installation apparatus 2 Client terminal 3 Internet network 4 WEB page 5 WEB page data 6 Server processing part 7 Session information file 8 Tag specifying session key 9 Tag specifying session valid time 10 WEB page transmission data file

Claims (2)

In a WEB server function-equipped device that provides a WEB page to a client terminal, a program for managing a session with the client terminal, the WEB server function-equipped device,
Processing for checking authentication information received from the client terminal;
A process of issuing a session key unique to an authenticated client terminal and storing session information including the session key;
A process of reading WEB page data provided to the client terminal;
A process of extracting the valid time of a session designated in advance in the WEB page data from the WEB page data and setting it in the session information;
Processing for embedding the session key in WEB page data to generate WEB page transmission data;
Processing for transmitting the WEB page transmission data to a client terminal;
A process of monitoring the elapse of an effective time set in the session information;
Processing for confirming a match between a session key in the request data received from the client terminal within the valid time and a session key in the session information;
A process of reissuing a new session key to update the session information when a match is confirmed;
A process of deleting the session information when request data is not received from the client terminal within the valid time;
A session management program characterized in that A WEB server function-equipped device comprising a recording medium for recording the session management program according to claim 1 .

Images