TW201810107A - An authentication method of serializing data exchange with WORKER thread - Google Patents

Abstract

An authentication method of serializing data exchange with worker thread are disclosure. A request including an application identifier related to a client application is received at a web server application. A service identifier is generated if a session with the client application is valid, and a registry is generated at the web server application. The service identifier is sent to the client application. A sub-requests including the service identifier is received as a part of an asynchronous client server transaction. To judge validity of the sub-requests by determining whether the service identifier has expired or modification, whether the sub-requests request a service that is permissible according to an information of the registry. A renewal service identifier is generated and the service is provided if the sub-requests is valid. Thereby, more protection on website is provided via each request with renewal service identifier of the web server application.

Description

Authentication processing method based on WORKER serialization request

The invention relates to the field of network technology, in particular to a data authentication process for guaranteeing an AJAX webpage running serialization request, and the worker thread concept in the background execution request process can update the obtained session credential for each sending request to prevent malicious intrusion into the user. The authentication method of the protection mode of the end.

Web Technology is the main technology used in today's e-commerce systems, and it contains many complex operating mechanisms to ensure the security of e-commerce. For example, user login and management is a common and important function in e-commerce systems, but it is limited to stateless and connectionless HTTP (Hyper Text Transfer Protocol) protocols in general e-commerce systems. The characteristics of the (connectionless) mode of operation, the user login and management functions cannot be compared with the user login management function of the general Windows Based program (ie, the general window program).

The currently used technology usually records the user's information by using the server's Session and the website's global object Application. The main method is to record the user's information in the Session object when the user successfully logs in. The logout button removes the user from the Session object, but in order to prevent the server memory from being used in a large amount of recording user information, the session timeout is usually set in a no-action period when the browser is used. If the webpage reaches the time above the period, the user will be automatically logged out. Therefore, the user who directly closes the browser before logging in or directly enters the new URL in the address bar of the browser to change the browsing URL. The aforementioned techniques cannot be used to accurately manage users.

Most website systems maintain the state of the logged-in user through the session mechanism, and the small text file (cookie) is born as an extension of HTTP. It mainly compensates for the statelessness of HTTP and provides a way to maintain the client and the server. The way between the state of the device, traditionally, is to use a small text file (cookie) to achieve the session mechanism, but this method is relatively weak in the security of the security, and the session is used to store sensitive data. It is highly practical, so it often becomes the target of hacking attacks. The attacker will find a way to get the user's session ID. The general session attack method generally includes guessing session ID (session prediction) and stealing session ID (session hijacking). And the fixed session ID (session fixation), and the server side (server) and the client (client) will not stay connected, there will be no immediate update of the status of both parties, the server (server) is not clear about the client The state of the client, with the user's ID (user ID) can impersonate the user to access the site, resulting in possible violations Client privacy issues.

To effectively solve the problems in the prior art, the object of the present invention is to provide an authentication processing method based on a WORKER serialization request, which can obtain a new service identification credential for each request, and can timely detect the attack of the malicious program so that System administrators get better website protection.

In order to achieve the object of the present invention, the present invention provides an authentication processing method based on a WORKER serialization request, the method comprising: receiving, by an application server in a server, a request, the request being related to a client application Linking an application identifier; generating a service identifier in response to the active phase of the client application; generating a login file for the application server, the login file containing a service permitting use of the client application a set of information and information; sending the service identifier to the client application; receiving a sub-request that is part of an asynchronous client server transaction, the sub-request including the service identifier and determining the service Whether the identifier has expired or has been modified to determine the validity of one of the sub-requests to generate a new service identifier; the sub-request is valid and provides the service in response to the sub-request.

In an embodiment of the invention, wherein the determining whether to use the client application includes determining that the service identifier is used with the client application identifier.

In an embodiment of the invention, the service identifier in which the determination is invalid is that the application server responds with an error message to the client application.

In an embodiment of the present invention, the request is received by the application server in a worker Tread of the client application to process the request in the request queue to each of the request queues Requests are assigned to a thread to handle, or a majority of threads are created and the number of pre-established threads is specified in the request queue to fetch one request for each thread to execute.

In one embodiment of the invention, the application server is any application that operates to serve other applications and services.

In an embodiment of the invention, the application server includes an application server component, and the application server component can be an authentication application or an authentication engine corresponding to the application server.

The detailed description and technical content of the present invention are described in the following with reference to the accompanying drawings, which are not to be construed as limiting the invention, and are not intended to limit the invention; Inventing and avoiding confusion, the data processing environment of one of the AJAX network architectures of the present invention is first described.

One or more data networks are frequently exchanged between various data processing systems, and some data processing systems can be considered as customer data processing systems because consumers of such systems can view other data processing systems as other data processing systems. The server data processing system, as these systems provide the requested data or services to be executed as a client (ie, as a consumer of data or services), the application is called a client application and will act as a server (also That is, an application that provides data or services is called a server application.

The security of the network in which the data resides and the system operated by the system is usually concerned with the data communication system, its content and the security of the network operated by the data processing system by a security mechanism. , user identifier (UID) and password authentication are common methods for achieving security objectives in a data processing environment; customer data processing systems and server data processing systems can communicate with each other using various protocols; The data communication that takes place between a client and a server data processing system includes a serialization request and response, and the interrelated requests and responses form a transaction.

Security of client server transactions is currently achieved in a variety of ways; some protocols such as Secure Hypertext Transfer Protocol (HTTPS) implement security for client server transactions by using encryption and secure identification of the server data processing system. Some other transaction security mechanisms include the use of a job phase identifier (job phase ID), which is an identifier used to identify the stage of the job between the client and the server data processing system; a typical job phase can include a series of Change.

In some cases, the customer can request data from the server in an asynchronous manner. Asynchronous data transfer transmits data without interfering with ongoing tasks. For example, the web browser application can be a client application, and the web browser can request the data from the web server in an asynchronous manner, so that the behavior or display of the page displayed in the web browser is not affected by the asynchronous data. The request or response impact, the asynchronous request does not wait for the corresponding response; in other words, the response to the asynchronous request can arrive at the client at any time and be processed, the client does not wait for a response to the asynchronous request, but continues other tasks .

An asynchronous request is a request for an asynchronous material or service. The asynchronous client server transaction is a client server transaction that occurs asynchronously with respect to another ongoing task, rather than synchronous JavaScript and XML (AJAX), which is currently used to create and execute asynchronous client server transactions. Unsynchronized client server transactions are especially useful for improving the performance of web applications and improving the user experience. Furthermore, asynchronous JavaScript and XML (AJAX) is a technology that allows browsers to make asynchronous web page requests because it is A technique that is asynchronous, so that the browser can execute a web page request in a background when needed, without interrupting or interfering with the work performed by the browser foreground.

1 is a diagram showing the network architecture of the authentication system of the present invention, to indicate that a data processing environment 100 under the network architecture includes a network 101 to provide a plurality of computer hosts 100a and a plurality of devices connected together in the data processing environment 100. The computer 100a is defined as a client (110, 112, 114), and the computer of the server is defined as a server end (102, 104). The network 101 connected in a wired or wireless manner communicates with each other; in addition, the server terminals or the clients may contain various materials and may have a software application or a software tool executed on the system.

The server end 102 and the server end 104 may each include an application server 103 and an application server 105. The application server (103, 105) may be any application that operates to serve other applications and services. The client 112 can include a client application 113, which can be an application or a component thereof that is capable of performing data authentication processing of a serialization request in accordance with an embodiment of the present invention.

The server side (102, 104) and the client (110, 112, 114) may be coupled to the network 101 using a wired connection, a wireless communication protocol, or other suitable data connectivity, and the client (110, 112, 114) may be, for example, a personal computer or a variety of models. A mobile electronic device having a networking function; in this embodiment, each server (102, 104) provides information such as a startup file, an operating system image, and an application to a client (110, 112, 114). The client (110, 112, 114) or some combination thereof may include its own data, startup files, operating system images, and applications. The data processing environment 100 may include additional servers, clients, and other devices not shown in the drawings.

Network 102 may represent a collection of networks and gateways that use Transmission Control Protocol/Internet Protocol (TCP/IP) and other protocols to communicate with one another. At the heart of the Internet is the backbone of data communication links between major nodes or host computers, including thousands of commercial, government, educational, and other computer systems that deliver information and information. Of course, the data processing environment 100 can also be implemented as many different types of networks, such as an intranet, a local area network (LAN), or a wide area network (WAN).

Referring to FIG. 2, the authentication processing method based on the worker serialization request according to the present invention operates in the architecture of the foregoing data processing environment 100, as in the current asynchronous client server transaction technology, in each thread. (Tread) processes a request, and each time the thread executes the request, it tries again to get the next request and executes. This is the basic concept of the Worker Thread, for some requests that require lengthy calculations or to be executed in the background. Worker Thread can be used; Worker Thread can be applied in different situations, it uses a thread to process the request in the request queue, if the request comes and the request may have lengthy processing, then the request queue The request may be too late to be digested; the Worker Thread can be used to assign a thread to each request in the request queue, but in practice, as long as enough threads are created, the pre-built thread can be queued with the specified request. Quantity, each thread will take out a request to execute; Worker Thread has a request to come, if not Request, all Worker Thread to wait until a new work coming in and inform them of the request made to make WorkerThread work directly defined in the execute () in.

As stated above, the operation of the authentication processing program described in the present invention is as follows:

The client application 113 can issue an initial non-synchronization request to the application server 103 or the application server 105, such as requesting a network address (URL), which will insert the URL into the original code array for the next step.

The second step is to confirm the status of the waiting label. If the status is true, the status of the waiting label is reconfirmed after a waiting time until the label status is no; if the status of the waiting label is no, then proceed to the next step. .

The third step is to confirm whether there is a URL in the array by the Worker Thread. If there is no URL, if the status is true, the action is terminated and returned. If the status is no, the next action is taken.

The fourth step is to use the AJAX engine to send a request to the server end 102, and set the status of the waiting tag to true, then clear the first data in the array, and then return to the second step to do the loop.

The fifth step is that after the server receives the request from the client, it checks the credential in the cookie. If the credential is incorrect, it is sent back to the client 112 without logging in. If the credential is not wrong, the old credential is generated to generate a new credential. The result is then passed back to the client 112.

The sixth step is that after the client receives the return from the server end 102, the wait state is cleared, and then the result of the return is performed, and the action is ended.

As stated above, in the fourth step of the AJAX request, the request URL is first written to a request queue (RequestQueue), and then an independently operated Worker continues to check the request queue (RequestQueue), if empty, then 0.1 Check again in seconds, the server checks the credentials in the cookie, sends the response to be received, and if there is a URL, sends a response back to the main program and sends the post message back to the main program, and then sends the next request Back end: each time After processing a request, the session credentials are modified, so each session credential can only be used once.

Please refer to FIG. 3, which depicts a timing diagram of a transaction occurring within a non-synchronized client server transaction in accordance with an illustrative embodiment, including a client application 200 that can be similar to the client described in FIG. The application server 113, an application server 300 can be similar to the application server 103 described in FIG. 2, and an application server or engine that the application server component 310 can execute for the application server 300, for example, The authentication application or authentication engine, etc., and the application server component 310 can be at least one application server component that serves different functions.

The application server component 310 can be an application, engine, or component utilized by the application server 300. For example, in an embodiment, the application server component 310 can be a combination of an authentication engine and some other existing components of a currently available application server application, and the application server component 310 can be different for the servo. More than one application server component.

In an embodiment, the application server 300 can present the login dialog box 301 to the client application 200. The login dialog box 301 can be optional, and the client application 200 can actively or respond to the login dialog box 301 by itself. An authentication credential is provided in request 201; wherein the authentication credential can include one of an application identifier associated with client application 200, one of identifiers associated with request 201, and one associated with a user or account Or a combination of multiple authentication credentials.

The application server 300 uses the authentication credentials in the request 201 to verify the operational phase with the client application 200, and the application server 300 can send the verification job phase message 302 to the application server component 310 and receive it back. A verification message is completed to complete the verification; and the application server 300 can generate a service login file 303 using the application server component 310. The generated service login file can include services and materials or other information available via the application server 300. A description of the resource; wherein the application server component 310 generates a service identifier 311 and the application server 300 sends one or more message responses 304 to the client application 200, the response 304 identifying the service identifier Communicated to the client application 200.

The client application 200 dynamically constructs the sub-request 202 and sends it to the application server 300 using the service identifier and directory received in response 304. For example, sub-request 202 can include a request only for services that appear in the directory received in response 304; and sub-request 202 can further include the application identifier of client application 20, or the service received in response 304. The identifier or one of the service identifiers is transformed.

The application server 300 performs the service identifier expiration check 305 by using the application server component 310, and performs the check 620 after each sub-request 202; the timeout of the service identifier expires in this embodiment only as one The examples are not intended to limit the invention. Within the scope of the present invention, any security features associated with the service identifier can be checked in a suitable manner in step 305.

If the service identifier has not expired, the application server 300 can send the request 306 to the application server component 310 for the service or profile requested in the sub-request 202; again, the application server 300 can Request 307 is sent to application server component 310 for any additional data processing that may have to be performed using a combination of service identifiers and application identifiers. For example, request 307 can be used to record sub-request 202; further illustrated, request 307 can be used to increment the expiration count of the service identifier.

The application server component 310 verifies the service identifier in each sub-request, and the verification includes the integrity of the service identifier to determine the validity of the service identifier, the validity determination including whether it has been modified, expired, etc. If the service identifier determined to be invalid is sent, an error message (not shown) will be sent. If the sender is not logged in to the sender, the sender may not be the client application 200, which may be one. Malicious application (not shown).

As described above, the returned service identifier expired 212 is not verified by the application server component 310, so the application server component 310 will generate a new service identifier 312 and perform the new service identifier. A response job 308 of 312b to the client application 200, and the client application 200 dynamically constructs subsequent sub-requests using the renewed service identifier, and data transfer between the client application 200 and the application server 300 This continues in the manner described above until the end of the program that ensures the asynchronous client server transaction.

Thus, embodiments of the present invention protect non-synchronized client servers by creating sub-requests using information from directories and service identifiers when needed, unlike techniques currently used for asynchronous client server transactions. Changes, directory and service identifiers can change over time. Creating subrequests in this way makes subrequests dynamic and resistant to spoofing or trial and error attacks by malicious applications.

In the above, the authentication processing method of the present invention uses the technology of the worker to implement the serialization process, and the front-end technology uses a serialization method to process each request and transmit the request to the server, and the backend program On the server side, each time the request is processed, the session credentials are modified. By using this technology to improve the user's own paging or when the hacker retrieves the session, data errors may occur or be The malicious change situation allows the user to know that the identity may be fraudulently used at the first time, thereby reducing the loss of the cookie value on the session mechanism. The value of the cookie is changed after each request is processed. In this way, the user can be By intercepting the network packet and spoofing the user to do something, the hacker sends the error message in time to immediately perceive it; since the value of the cookie is changed, the user takes the old cookie and the system to make a request. It will be recognized as an illegal user by the system, and the website system will be more affected by the user's reaction with the system administrator. Good protection.

The above description is only intended to describe the preferred embodiments or embodiments of the present invention, which are not intended to limit the scope of the invention. That is, the equivalent changes and modifications made in accordance with the scope of the patent application of the present invention or the scope of the invention are covered by the scope of the invention.

100‧‧‧Data processing environment

101‧‧‧Network

100a‧‧‧Computer host

100b‧‧‧computer for server

102‧‧‧Server side

103‧‧‧Application Server

104‧‧‧Server side

105‧‧‧Application Server

110‧‧‧Client

112‧‧‧Client

113‧‧‧Customer application

114‧‧‧Client

200‧‧‧Customer Application

201‧‧‧Send request

202‧‧‧ Dynamic Construction Subrequest

300‧‧‧Application Server

301‧‧‧ Login dialog box

302‧‧‧Verification of operation phase information

303‧‧‧ Login file

304‧‧‧ Response to Service Identifier

305‧‧‧Service identifier verification request

306‧‧‧Service and information request

307‧‧‧ Data Processing Request

308‧‧‧Response to services and information

310‧‧‧Application Server Components

312‧‧‧ Generate new service identifiers

Figure 1 is a schematic diagram showing a data processing environment of one of the network architectures of the present invention. Figure 2 is a diagram showing the operation architecture of the present invention based on the Worker Serialization Request Authentication process. Figure 3 is a timing diagram for plotting the transmission request of the present invention and performing a service identifier authentication process.

Claims (8)

An authentication processing method based on a worker serialization request, the method comprising: receiving, by an application server in a server, a request from a client, the request comprising an application associated with a client application a program identifier; generating a service identifier in response to an operation phase of the client application; generating a login file for the application server, the login file containing a set of services and materials for permitting use of the client application Transmitting the service identifier to the client application; receiving a sub-request that is part of an asynchronous client server transaction, the sub-request including the service identifier and determining whether the service identifier has Expired or modified to determine the validity of one of the sub-requests to generate a new service identifier; the sub-request is valid and provides the service in response to the sub-request. The authentication processing method based on the worker serialization request according to claim 1, wherein the determining whether to use the client application includes: determining that the service identifier is used together with the client application identifier. The method for authenticating a worker serialization request according to claim 2, wherein the invalid identifier of the service identifier is that the application server responds with an error message to the client application. The method for authenticating a worker serialization request according to claim 1, wherein the application server receives the request in a work thread of the client application to process the request in the request queue. To assign a thread to each request in the request queue, or to create a majority of the thread and specify the number of pre-established threads to request, for each thread to take a request to execute. The authentication processing method based on the worker serialization request described in claim 1, wherein the application server is any application that operates to serve other applications and services. The authentication processing method based on the worker serialization request according to claim 5, wherein the application server includes an application server component, and the application server component can execute the application server correspondingly. Certified application or authentication engine. The authentication processing method based on the worker serialization request according to claim 1, wherein the client comprises a personal computer or various types of mobile electronic devices having a networking function. The authentication processing method based on the worker serialization request according to claim 1, wherein the client application is a web browser.