JP2002189646A - Relay device - Google Patents

Abstract

(57) [Summary] [PROBLEMS] When a terminal using a communication method that does not perform connection management accesses a database that performs connection management via a relay device, the number of logins to the database from the relay device is minimized. SOLUTION: When a login request is input from a terminal to the relay device, a session ID given for each session and a DB obtained after the relay device logs in to the database and including execution information of a program of the relay device. The set of access means is stored in the session information storage means in association with each other. Thus, when a request including the session ID is received from the terminal, the DB is accessed directly from the relay device without logging in to the DB again by acquiring the DB access unit corresponding to the session ID directly from the session information storage unit. It becomes possible.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method of performing session management from a terminal that uses a communication system that does not manage connection between a terminal and a server, such as the WWW, when accessing a database that performs connection management. The present invention relates to a relay device for improving the access efficiency of a relay device.

[0002]

[Prior Art] WWW (World Wi-Fi) is stored in an in-house database (DB).
The WWW-DB linkage system, which allows access from a de Web) browser via a network, has been applied to e-commerce, etc., since a normal PC can be used as a terminal.

Recently, a mobile phone equipped with a WWW browser, such as a NTT DOCOMO i-mode compatible mobile phone, can be used as a terminal of this system.
The demand for cooperative systems is even higher.

[0004] Usually, HTTP (Hypertext Tr) used in WWW is used.
Ansfer Protocol) is a communication method that does not manage the logical connection between the terminal and the server and disconnects when the server returns a response to one request. Until logout, connection management is performed so that only logged-in users can access. Therefore, in a WWW-DB cooperation system, even if a WWW terminal logs in to the DB as it is, the login to the DB will be invalidated when the terminal accesses again, so if you do not log in again, No. Therefore, it was placed between the terminal and the DB
A server such as a WWW server needs to recognize and manage a logical connection (session) between a terminal and a server.

FIG. 28 shows the overall configuration of such a conventional WWW-DB cooperation system.

In FIG. 28, reference numeral 2701 denotes a terminal equipped with a WWW browser and transmitting a user request.

As a terminal, a PC, a PDA (Personal Digital Assistant) equipped with a WWW browser, or a mobile phone can be used. 2702 is a network. Reference numeral 2703 denotes a relay device which accesses a database according to a request from a terminal when the request is input from a network, and returns a response including data to the terminal when information is obtained. Apache project, Netscape US, Micr US
WWW servers developed by osoft and others can be assumed. Reference numeral 2704 denotes a DB storing data to be acquired by the terminal. FIG. 28 shows the internal configuration of the relay device 2703.

In FIG. 29, reference numeral 2801 denotes terminal communication means for communicating with a terminal. Reference numeral 2802 denotes a session information management unit that manages session information that is information indicating to which session the request belongs. Session information includes
Stores information input from the terminal, such as a session number, user ID, and password. Reference numeral 2803 denotes a login unit for logging in to the DB. Reference numeral 2804 denotes a session information storage unit that stores session information. Reference numeral 2805 denotes a terminal response generation unit that generates a response to the terminal based on the information acquired from the DB. Reference numeral 2806 denotes a DB request execution unit that generates a request to the DB and extracts DB data from the response. 28
07 is a DB communication means for communicating with the DB.

First, the details of the login process in the conventional system will be described.

First, terminal 2701 outputs a login request to network 2702.

[0011] The login request includes information necessary for login, such as a login ID and a password. In this case, the login ID is aaaaa and the password is abcde.

Next, the login request is input from the network to the relay device 2703. The following processing is performed inside the relay device 2703.

First, a login request is input to the terminal communication means 2801.

Next, since the input request is a login request, the session information management means 2802 starts processing for storing data in the session information storage means 2804. Here, the session information management unit 2802 first uses the login ID and password included in the login request and the
Login to 04. The login unit 2803 creates a login request to the DB from the data of the session information management unit 2802, and accesses the DB 2704 using the DB communication unit 2807. DB
When 2704 returns a response to the login request indicating that the login was successful, the result is returned to session information management means 2802 via login means 2803. In this case, since the login has been successful, the session information management means 2802 generates a session ID upon receiving the response, and stores the set of the session ID, the login name, the password, and the like in the session information storage means 28.
Store in 05. In this case, the generated session ID is aa
aa0000.

FIG. 30 shows the configuration of the session information storage means 2805.

In FIG. 30, reference numeral 2901 denotes a session ID, 2902
Indicates a login ID, 2903 indicates a password, and 2904 indicates a connection destination including an IP address and a machine name.

In FIG. 30, users aaaaa, bbbbb, cccc
Session IDs aaaa0000, bbbb1111, ccc for c
c2222 is assigned, and the corresponding password and connection destination are stored. These data are stored after each user logs in and is assigned a session ID.

Thereafter, if the data acquisition request for the terminal to request the DB data is included in the login request, the DB request execution means 2806 outputs a data acquisition request to the DB 2704. When the DB 2704 returns a response including the requested data in accordance with the data acquisition request, the DB request execution unit 2806 receives the data via the DB communication unit 2807. After receiving the data, a response to the terminal is generated using the terminal response generation means 2805 based on the data and the session ID, and this is output to the terminal 2701 via the 2801. In the case of WWW, the method of incorporating the session ID into the response to the terminal includes using a cookie, embedding the session ID in the link in the response page, and creating a hidden form in the response page and embedding it in the attribute value There are three.

A cookie is an IETF (Internet Engineering)
(Task Force) is described in RFC2109 issued, WW
It is exchanged using HTTP between W server and WWW terminal,
Status information recorded on the WWW terminal. Cookie is H
It is stored on the terminal by specifying the TTP header, and the WWW terminal stores the Cookie in the HTTP header of the request to the WWW server and
By sending to the WW server, the WWW server
It is possible to get the state from ookie.

After logging in, the terminal 2701 displays a response page. When the user of the terminal 2701 subsequently makes a second data acquisition request, the terminal 2701 stores the session ID aaaa0000 embedded in the response to the second data acquisition request,
Output to network 2702.

In response to the second data acquisition request, the type of the input request is a data acquisition request in the relay device 2703. Therefore, the session information management means 2802 performs an inquiry process for the session ID of the second data acquisition request. In this case, aaaa0000
Has already been stored in the session information storage unit 2804, so that the corresponding user name, password, and connection destination can be obtained. Next, using this information, the DB communication means 2707
Use the connection held by to access the DB and acquire data. As this method, there is a method of logging in again here, or a method of acquiring the connection of the DB communication means from the data of the connection destination information if possible and directly connecting to the DB. Next, a response page to the second data acquisition request is generated from the data and the session ID, and output to the terminal.

By using the above-described session management method, the first request can be made by the terminal to login ID.
And the password must be sent to the relay device. From the second time onward, if the session number is sent, DB data can be obtained from the terminal.

As techniques of such a session management system, Japanese Patent Application Laid-Open Nos. 11-41284 and 11-149449,
It is disclosed in JP-A-2000-106552 and the like.

[0024]

In JP-A-11-41284, user information and connection destination information of a client are stored in a session information storage means in a relay device, and a user is provided with only a user name when accessing later. It authenticates the information DB and manages the session. In this method, only one session can be managed for each user, and the connection destination information indicates only the connection destination DB. For example, there is only one connection between the relay device and the server. When exchanging data with multiple users, there is a problem that the connection with the DB cannot be managed.

In Japanese Patent Application Laid-Open No. H11-149449, a thread for performing internal processing of the relay device such as session information management means is started for each session in the relay device, and a thread number is obtained from a correspondence table between session numbers and thread numbers. Then, the data such as the user name is extracted from the resource table held by the thread from the thread number, and the DB is accessed using this. In this case, since the data such as the user name can be referred to only from inside the thread, if the thread starts up for each request and disappears when the processing for the request ends, the data is also destroyed when the thread disappears. Therefore, if this method is used, session management cannot be performed. Also, the relay device needs a function to start a thread for each session, but when creating an application using the API of the WWW server, if the API does not have such a function, the developer himself This method cannot be applied unless functions are implemented.

In Japanese Patent Application Laid-Open No. 2000-106552, at the time of login to a relay device, an information book and a session identifier for identifying a user are sent from a terminal.
After logging in, save the user information book and session identifier. In this case, since the terminal sends the session information together with the login, a mechanism having a session number is required on the terminal side, and since the session number needs to be uniquely assigned to the terminal of the entire system, a plurality of terminals are required. A mechanism is needed to prevent session numbers from being duplicated when a file exists.

In such a WWW-DB cooperation system,
When the terminal sends information for session management, if the session ID assigned between terminals overlaps,
Problems may occur when the terminal user using the ID is different.

When a session ID is embedded in a URL or a hidden parameter in order to support a WWW browser that cannot use a cookie, a link is extracted from the URL or the source of the WWW page, and the URL is accessed from another terminal. By doing so, even non-authorized users can access information on prohibited DBs, which is a so-called spoofing problem. In particular, as of November 2000, this problem is likely to occur because cookies cannot be used in i-mode terminals.

In the above-mentioned method, the number of logins from the terminal in one session is set to one. However, in order to save the login ID and password, which are data from the terminal, as they are, the relay device and the DB are used for access after login. If a session descriptor is required, it is necessary to log in to the DB every time access is performed to obtain the descriptor, which causes a problem of increasing the load on the DB.

Further, in the WWW-DB linkage system, according to a template or script described according to a certain rule,
In some cases, a WWW server accesses a DB in response to a request from a terminal and dynamically generates a WWW page from the result. The processing of this script is performed by a WWW request processing unit such as a thread or a process started by a WWW server for each request. In the conventional method, only information for specifying a DB or information to be input from a terminal is stored in a session information storage unit. . For this reason, even if a variable for logging in and accessing the DB with a certain thread is obtained, it is discarded when the thread finishes processing. Therefore, when the next request is made, the login ID is again stored from the session information storage means. I had to get it and log in again.
Therefore, even if they belong to the same session, one for each request
The user has to log in each time, and the same problem as in the above case occurs.

An object of the present invention is to provide a terminal via a relay device using a protocol that does not manage the connection state such as WWW.
In a system that accesses the DB, even if a thread starts up for each request, the number of logins to the database in the session is limited to one,
Another object of the present invention is to provide a relay device that can easily prevent impersonation of a user other than an authorized user.

[0032]

According to the present invention, a session information storage means for maintaining a connection between a DB and a relay device and directly storing a DB access means used when accessing the DB after logging in to the DB. It is provided with.

Thus, when the relay apparatus processes a request from a terminal belonging to the session, it obtains the DB access means from the session information storage means, and logs in to the DB without logging in for the second and subsequent requests. Access becomes possible, and the effect of shortening the response time and reducing the load on the DB can be obtained.

Secondly, the present invention provides a WWW request processing means activating means for performing a request or a process for each session to a relay apparatus and activating a thread which disappears when the processing is completed, and a session for storing session information outside the thread. It is provided with information storage means.

Thus, even if the thread is started for each request, not for each session, and the DB access means inside the thread is discarded along with the discard of the thread, the DB access means from the session information storage means when processing the next request. By obtaining the means, it is possible to access the DB without logging in, and the effect of shortening the response time and reducing the load on the DB can be obtained.

Thirdly, the present invention comprises a session information management means for deleting, from a session storage means, session information identical to the session ID of the logout request when a logout request is input to the relay device. .

As a result, the effect that the storage capacity of the session information storage means can be reduced is obtained.

Fourth, a session information storage means for storing session information including a login ID, and when a login request is input, there is duplicated session information having a session ID matching the one in the login request. It outputs a login error response to the terminal.

As a result, it is possible to reduce the storage capacity of the session information storage means and to prevent an unauthorized user from accessing from another terminal during access.

Fifth, session information storage means for storing session information including a login time in the relay device, timer means for activating a set process at a set time,
When a login request is input, session information with the current time as the login time is stored in the session information storage means, and a session information management means for setting a timer at the time-out time is provided. The processing for deleting the relevant session information from the storage means is started.

As a result, by reducing the storage capacity of the session information storage means and by limiting the accessible time in one session, the time when unauthorized access is performed to the relay device is limited, and damage is reduced. The effect to be obtained is obtained.

Sixth, the session information storage means for storing information including the terminal identifier and the login ID when the terminal can be identified from the relay device, and the same login ID as compared with the client identifier of the login request at the time of login. A user is provided with session information management means that does not perform a login process for the user.

Thus, the response time to login by the second and subsequent terminals can be reduced, and the relay device and the DB
This has the effect of reducing the number of connections between them.

Seventh, session information storage means for storing a request identifier, which is a character string for identifying a request in a session, as session information in the relay device in association with the session ID, and the terminal stores the session ID and the request identifier. A session information management means is provided for comparing both the session ID and the request identifier when a process request including the request is output, and performing a DB access corresponding to the process request only when both are the same.

This makes it possible to prevent a malicious user from making unauthorized access to the relay device using a session ID or request identifier invalidated due to a timeout or a subsequent processing request. Is obtained.

[0046]

Embodiments of the present invention will be described below with reference to FIGS. 1 to 27.

The present invention is not limited to these embodiments at all, and can be implemented in various modes without departing from the scope of the invention.

(Embodiment 1) Hereinafter, a first embodiment of the present invention will be described.

FIG. 1 shows a block diagram of the present invention.
In FIG. 1, 101 is equipped with a WWW browser, or
A terminal that can access the AP. In addition to a personal computer or a workstation, a mobile phone or a portable information terminal provided with a browser can be used as the terminal. Reference numeral 102 denotes a network for transmitting data, and the terminal 101 and the relay device 103 are connected to the network. The network may be not only a public network such as the Internet, a public telephone network, a mobile telephone network, and an ISDN network, but also a private network such as a dedicated line. A relay device 103 is connected to the network 102 and the DB 104, and acquires data from the DB according to a request from the terminal 101. A DB 104 is connected to the relay device 103 and stores various data. 1
05 is a communication path between the relay device and the DB. As a communication channel,
Any network, such as an ATM, a public telephone network, a frame relay, an extension network, and a LAN, which can communicate between computers, other than a network transmitting IP (Internet Protocol), may be used. Ten
6 to 110 show the configuration of the relay device 103. 106 is terminal 101
This is a relay device control means for receiving a request from the terminal, determining and executing a process corresponding to the request, and outputting a response to the terminal 101. Reference numeral 107 denotes a session information storage unit that stores information about a session. Reference numeral 108 denotes a login unit that performs a process of logging in to the DB. Reference numeral 109 denotes a DB access unit that manages a connection state (session) to the DB.
The DB access means exists as a variable (descriptor) for managing a user name of a logged-in user, an IP address and a port number of a connection destination, a connection state, execution information of the program, and the like on the program. An example of such data is COM (Componen
t ObjectModel), CORBA, Java objects, and LISP language variables. Depending on the implementation language and environment,
The DB access means may have both data and functions (methods). The initialization of this DB access means ends when the login is performed and the DB can be accessed from the relay device.

This state of being logged in and being connected is maintained while the DB access means is held. For example, Microsoft's IIS (Internet Informa
ASP) (Active Server)
When the DB access means is implemented as a COM object using a mechanism called Pages, a COM object for access is generated after logging in to the DB. While this COM object is held, the connection between the relay device 103 and the DB 104 generated by logging in to the DB is maintained, and the CO
If there is an M object, it is possible to access the DB 104 without logging in by using the M object.

Further, at the same time as the DB access means is destroyed, the connection between the relay device represented by the DB access means and the DB is disconnected. Therefore, while the DB access unit is held, it is possible to access the DB from the relay device without logging in. Before the relay apparatus 103 logs in to the DB 104, the DB access means is not initialized. Therefore, even if there is other data from the terminal such as the login ID and the password in the relay apparatus 103, the DB access means 207 is not initialized. Cannot be used to access the DB. In the present application, it is said that this state has not been acquired by the DB access unit 207. 110 is a DB communication means for communicating with the DB.

FIG. 2 shows the structure of the relay device control means 106.
201 is a terminal communication means for communicating with the terminal. If the relay device uses HTTP for the terminal, the terminal communication means
201 is responsible for sending and receiving HTTP. 202 is a session information management means for managing session information. The terminal response generation unit 203 converts the information input from the DB into a format such as HTML that can be interpreted by the terminal.

The DB request execution unit 204 converts the data acquisition request from the terminal into a request on the DB session indicated by the DB access unit, and converts the data using the DB communication unit 204 into the DB.
To get from.

FIG. 3 is a sequence diagram showing the operation of the present embodiment.

The operation of this embodiment will be described below with reference to FIG. 3 and FIGS. 4 to 7 as appropriate. in this case,
It is assumed that users bbbbb and ccccc have logged in to the relay device 103 in advance. (1) Login request 301 First, when the user aaaaa performs a login operation at the terminal 101, the login request 301
Output for 02. When using WWW, the login operation is usually performed by the user acquiring the WWW page for login in advance and inputting it, but even if the application running on the terminal outputs the login request 301 good.

FIG. 4 shows the field structure of the login request 301.

In FIG. 4, reference numeral 401 denotes a request parameter. Here, instruction information indicating login, information reference / update / addition, and information such as the type of information desired to be acquired from the DB are entered. In this case, an identifier indicating a login request is included in the request parameter. Note that a login request and a data acquisition request may be included at the same time. 402 is a login ID for identifying a user. 403 is a password. If the password is encrypted,
It can be easily inferred that the present embodiment operates even with the relay device 101 and the relay device 103. When using WWW (HTTP), a login request can be described using a URL. For example, if the machine name of the relay device 103 is gateway, the login program is login.cgi, the login name is aaaaa, and the password is abcde,

[Outside 1] The request is described as follows. (2) DB Login Request 302 When the login request 301 is input from the network 102 to the relay device 103, the following processing is performed inside the relay device 103, and the DB login request 302 is output. The structure of the DB login request includes a login ID and a password as in the case of the login request 301, but is omitted because it differs depending on the DB.

The processing of the relay device 103 will be described below with reference to the flowchart of FIG. (2-1) The login request 301 is input to the terminal communication means 201 in the relay device control means 106. (501) (2-2) According to request parameter 1201, request is login request 3
If it is 01 (502), the session information management means 202 starts the login process. (2-3) The relay device control means 106 determines the connection destination DB, and the login means 108 generates a DB login request 302 using the login ID and the password. (503) (2-4) The DB communication unit 110 outputs the DB login request 302 to the DB 104. (504) Thereafter, the DB communication unit waits for a DB login response 303. (505) (3) DB Login Response 303 When access by the login ID and password in the DB login request is permitted by DB 104, DB 104 indicates OK.
A login response 303 is returned to the relay device 103. (4) Login Response 304 When the DB login response 304 is returned from the DB 104, the relay device 103 internally performs the following processing and outputs the login response 304 to the network 102. Hereinafter, the numbers in parentheses indicate the numbers of the flowchart in FIG. (4-1) The DB login response 304 is input to the DB communication unit 110. (505) (4-2) The result of the DB login response 304 is O
In the case of K (506), the information necessary for DB access is stored in the DB access means, and it is determined that the information is OK.
Tell 2 (508) If an error occurs, the process ends abnormally (507). (4-3) The processing shifts from here to the relay device control means 106. If the result transmitted by the login means 108 is OK, the session information management means 202 in the relay device control means 106 generates a session ID, and stores the session ID and the DB access means 10
The set of 9 is stored in the session information storage unit 107. (508) FIG. 6 shows the configuration of the session information storage means 107 and the additional processing. The table consisting of 601 and 602 indicates that there is a session by three users bbbbb, ccccc, and ddddd before the addition, and that session IDs of bbbb1111, cccc2222, and dddd3333 are given, respectively. Since the DB access means is stored in the login information, it originally includes data indicating the connection state, but here, it is described as bbbbb for convenience. The table consisting of 603 and 604 shows the configuration of the session information storage unit 107 after the addition. In FIG. 6, 601
Is a session ID for distinguishing a session between the terminal and the DB. Any session ID can be used as long as it is a character on a computer, but if WWW is used, it must be able to be transmitted using HTTP. 602 is D
B is login information that stores access means.

Here, when the user aaaaa logs in,
The session information management means 202 generates a session ID (aaaa0000) using a random number or the like, and stores it in the session information storage means 107 in association with the login ID of the user. This state is indicated by 603 and 604. (4-4) Next, when an unexecuted request remains in the request parameter 401, the request is subjected to each process in the request parameter such as data acquisition using the DB request execution unit. (509) (4-5) The terminal response generation unit 203 generates a response from the data of the DB request execution unit 204, and outputs the login response 304 to the network 102 using the terminal communication unit 201 (510). At this time, the login response 304 has the session ID (aaaa0
000) is output. Later, terminal 101 has a session ID
Terminal 101 at this point in order to output the request
Must store the session ID in the request.

When performing session management on the WWW, there are the following three methods for embedding a session ID in a response.

A. Method of storing session ID in Cookie using Set-Cookie in HTTP header b. Using URL parameter to link in generated HTML

[Outside 2] C. A method of generating a page in which hidden parameters are included in the INPUT tag Next, a process in which the terminal 101 acquires data after login will be described. (5) Data acquisition request 305 Upon receiving the login response 304, the user selects the next process to be performed, and the data acquisition request 305 is sent from the terminal to the network 1
Output to 02.

FIG. 7 shows the field configuration of the data acquisition request 305.

In FIG. 7, reference numeral 701 denotes request parameters indicating that the request is a data acquisition request, data to be acquired, and the like. 702 is a session ID. Session I
As D, the one included in the login response 304 is used as it is. The terminal 101 uses the number stored in the login response 304 as the session ID at this time as it is
Output to In the case of the WWW, the session ID is stored in the data acquisition request as follows, though it differs depending on the above three methods. a. When Cookie is used It is specified by Cookie attribute in HTTP header. b. When stored in a link It is included in the query string included in the URL.

(2) c. When a form is used The session ID is stored in the attribute specified by the login response in the HTTP header. (6) Data request 306 The relay apparatus 103 sends the data acquisition request 305 from the network 102.
Is input, the following processing is performed internally, and the data request
306 is output. (6-1) First, the terminal communication means 201 in the relay device control means 106
Is input with a data acquisition request 305. (501) (6-2) When the request parameter 2101 is a data acquisition request (50
2), session information management means 2 in the relay device control means 106
02 checks whether the session ID in the data acquisition request 305 is stored in the session information storage unit 107 (51).
1) If the data is valid (512), acquire the DB access means. (514) In this case, since the data can be stored, the session information management means 202 acquires the DB access means 109 corresponding to the session ID from the login information field 604 of the session information storage means 107 after adding the data. If the session ID is not stored in the session information storage unit 107, the process ends abnormally. (513) (6-3) The DB request execution unit 204 in the relay device control unit 106
Data request 306 for requesting desired data to DB
It is generated using the access means 109. (515) (6-4) The DB communication unit 110 outputs the data request 306 to the DB 104. (515) Then, a response is waited until data is input. (51
6) With the above processing, for the first login request,
The DB access means is acquired from the response by making the DB login request, but the DB login request is omitted for the second and subsequent data acquisition requests to acquire the DB access means from the session information storage means. In general, the time required for the session information storage means is shorter than the processing time of the login request to the login response, because the communication between the relay device and the DB does not occur.
Since the login process in can be omitted, the load on the DB can also be reduced. (7) DB Data 307 When the data request 306 is input, the DB 104 searches for data corresponding to the request, and outputs the result to the relay device 103 as DB data 307. (8) Data acquisition response 308 When the DB data 307 is input to the relay device 103, the relay device 10
The following processing is performed inside 3, and a data acquisition response 308 is output to the terminal 101 via the network 102. (8-1) The DB data 307 is input to the DB communication unit 110. (517) (8-2) The process in the relay device control means 106 starts here. DB
The request execution means 204 passes the data to the terminal response generation means 203. (8-3) The terminal response generation unit 203 generates a data acquisition response 304 from the session ID and the acquired data, and
Outputs the data acquisition response 304 to the network 102. (518) At this time, the data acquisition response 304 is output including the session ID (aaaa0000) as shown in FIG.

Note that in this embodiment, the terminal
Although the case of referring to the data described above has been described, it can be easily analogized that the same session management mechanism can be applied even when performing other processing such as control of data addition / update, start / stop, and the like for the DB. In the present embodiment, only the DB access means is used when a data request is made from the relay device to the DB.
When an ID or a password is required, it can be easily analogized that the relay device can acquire the data of the DB by appropriately adding these fields to the data request.

Although the fields of various requests are described in the present embodiment, it can be easily analogized that the same function can be realized even if the order of the fields is changed.

As described above, in this embodiment, the DB access means obtained by logging in to the DB is stored in the session information management means,
Even when the processing unit starts up for each request, the load on the DB is high and the number of time-consuming logins is reduced, thereby reducing the DB stability and the time required to output a request from the terminal and return a response. Can be possible.

(Embodiment 2) Hereinafter, a second embodiment of the present invention will be described.

The second embodiment is different from the first embodiment in that the relay apparatus of the first embodiment is provided with a WWW request processing means for processing a request and a WWW request processing means starting means for starting the WWW request processing means. Different from the form 1.

The sequence diagram 3 in the second embodiment and FIGS. 4 to 7 showing the field configuration of the communication message are the same as those in the first embodiment.

FIG. 8 shows the configuration of the second embodiment. In FIG. 8, reference numerals 801 to 805 indicate 101 to 105 of FIG.
Corresponding to

FIG. 9 shows the configuration of the relay device 803, and reference numeral 901 denotes a terminal communication means for communicating with a terminal. Terminal communication means 90
1 corresponds to the terminal communication means 201 of the first embodiment. Reference numeral 902 denotes a session information storage unit that stores information about a session. Session information storage means 902 corresponds to session information storage means 107 of the first embodiment. Reference numeral 903 denotes a WWW request processing unit that performs processing of the relay device in response to a terminal request. The WWW request processing means is activated for each request, and disappears when the processing for the request ends. The WWW request processing means can be implemented by either a process or a thread.

In the WWW server which is a relay device in the WW-DB cooperation system, a WWW request processing means such as a process or a thread is started for each process, and a process for a plurality of requests is performed at the same time. In some cases, the response time may be shortened. For example, Microsoft I
In the ASP of IS, if session management is not performed, a thread starts up for each request, and the thread can dynamically generate a WWW page when processing a script or template. Some other WWW servers have a similar mechanism.

Reference numeral 904 denotes DB communication means for communicating with the DB. DB communication means 904 corresponds to DB communication means 110 of the first embodiment. Reference numeral 905 denotes WWW request processing means activation means for activating the WWW request processing means.

In this embodiment, the WWW request processing means activating means operates when the request is input to the terminal communication means.
Activate the request processing means.

From 906 to 910, the WWW request processing means 90
Means for executing the processing in 3 will be described. Reference numeral 906 denotes a login unit that performs a process of logging in to the DB. Login means 906 corresponds to login means 108 of the first embodiment. 907 is a DB that manages the connection status (session) to the DB
Access means. DB access means 907 corresponds to DB access means 109 of the first embodiment. When the DB access means 907 is inside the WWW request processing means as in the present embodiment, the WWW request processing means 903 disappears and the DB access means 907 is destroyed at the same time. The terminal response generation unit 908 corresponds to the terminal response generation unit 203 of the first embodiment, and converts information input from the DB into a format such as HTML that can be interpreted by the terminal. The DB request execution unit 909 corresponds to the DB request execution unit 110 of the first embodiment, and converts a data acquisition request from a terminal into a request on the DB session indicated by the DB access unit. Get data from DB using. The session information management unit 910 corresponds to the session information management unit 107 of the first embodiment, and manages session information.

FIG. 10 is a flowchart showing the processing of relay apparatus 803 for a request in the present embodiment. FIG.
The difference between FIG. 5 of the first embodiment and FIG. 5 is that the WWW request processing unit 1002 is activated and the WWW request processing unit 1020 disappears.

Hereinafter, differences between the processing of the present embodiment and the first embodiment will be described with reference to FIG. First, processing at the time of login will be described.

In the present embodiment, most of the processing is the same as in the first embodiment except that some processing is performed inside the WWW request processing means. The numbers in parentheses thereafter indicate the numbers of the flowchart in FIG.

Relay apparatus 803 outputs DB login request 302 to DB 804 in response to terminal login request 301. At this time, when the login request 301 is input to the terminal communication means 901 (1001), the WWW request processing means activation means 905 transmits the WWW request
Activate the request processing means 903. (1002) Thereafter, the processing (1003 to 1005) from generation of the DB login request 302 to output to the DB 804 is the same as that of the first embodiment.

On the other hand, the DB outputs a DB login response 303 to the relay device 803, and the relay device 803
304 is output to the terminal 801. Response received at this time 10
The processing from 06 to login response generation / transmission 1011 is the same as in the first embodiment. When the processing up to this point is completed, all processing for the original login request 301 is completed, so
The WWW request processing means disappears (1020). Therefore, WW
The DB access means 907 in the W request processing means 903 is also discarded. However, in the case of the present embodiment, since the DB access unit 907 is saved in the session information storage unit 902 in the processing of the session information storage 1009 in the middle, the processing unit 903 disappears at the end of the processing, and at the same time, the WWW request processing D inside means 903
If B access means 907 is destroyed, DB access means
Since 907 is stored in the session information storage unit 902, the connection can be maintained, and can be reused by acquiring it from the session information storage unit 902 as described later.

Next, a process in which the terminal 801 acquires data after logging in will be described.

In this case, terminal 801 outputs data acquisition request 305 to relay device 803. In contrast, repeater 8
In 03, when the data acquisition request 305 is input to the terminal communication means 201, the WWW request processing means activation means 905 activates the WWW request processing means 903. Subsequent processing is performed inside the WWW request processing means 903. If the request parameter 2101 is a data acquisition request (1003), the session information management unit 20
2 checks whether the session ID in the data acquisition request 305 is stored in the session information storage unit 107 (101
2) If the data is valid (1013), acquire the DB access means. (1015) In this case, since the data can be stored, the session information management means 202 acquires the DB access means 109 corresponding to the session ID from the login information field 604 of the session information storage means 107 after adding the data. Using this DB access means 109, relay apparatus 803 generates and outputs data request 306 as in the first embodiment.
(1016,1017) After that, DB804 to DB data 307 in response to data request 306
Is input to the relay apparatus 803, and the processing until the relay apparatus 803 outputs the data acquisition response 803 to the terminal 801 (1018, 101
9) is the same as in the first embodiment.

With the above processing, the DB access means is obtained from the response to the first login request by making a DB login request as in the first embodiment.
For subsequent data acquisition requests, the DB login request is omitted to acquire the DB access means from the session information storage means. In general, the time required for the session information storage means is shorter than the processing time of the login request to the login response because the communication between the relay device and the DB does not occur, so that the response speed can be improved and the login process in the DB can be omitted. DB load can also be reduced.

Further, when the WWW request processing means is activated for each request, the processing unit and the DB access means disappear after sending a response to the request, so that the DB access means cannot be obtained from the inside of the relay device at the next access. In the present embodiment, the DB access means is evacuated outside the processing unit, so that the evacuated DB access means is acquired again at the next access belonging to the same session, and the DB is accessed without login.
It is possible to access to.

In the present embodiment, W
Although the case where the WW request processing unit is activated has been described, it can be easily analogized that, even when the WW request processing unit is activated for each session, the same function can be realized by using the same session management mechanism as in the present embodiment. Further, it can be easily analogized that the same function can be realized by using the same session management mechanism even when the WWW request processing means is not considered.

(Embodiment 3) Hereinafter, a third embodiment of the present invention will be described.

A block diagram showing the configuration of the present embodiment is the same as FIGS. 8 and 9 of the second embodiment.

FIG. 11 is a sequence diagram showing the present embodiment. In the third embodiment, it is assumed that the user ccccc has already logged in by the method described in the first embodiment, and the users aaaaa, bbbbb, ccccc have logged in to the relay device. Hereinafter, the operation of the present embodiment will be described with reference to FIGS. (1) Logout request 1101 First, user ccccc having session ID cccc2222 is terminal 8.
When the logout operation is performed in 01, a logout request 1101 is output to the relay device 803 to the network 802. The field configuration of this logout request 1101 is shown in FIG.
Shown in

In FIG. 12, reference numeral 1201 denotes a request parameter. In this case, an identifier indicating that this request is a logout request is included in the request parameter. In addition,
A login request and a data acquisition request may be included at the same time. 1202 is the session ID for identifying the session
It is. (2) DB logout request 1102 Logout request 1101 from the network 802 to the relay device 803
Is input, the following processing is performed inside the relay device 803, and a DB logout request 1102 is output. Relay device 80
The processing of 3 is shown below. (2-1) The logout request 1101 of the session ID cccc 2222 is input to the terminal communication means 901. At this time, the WWW request processing means 903 is activated. (2-2) If the request parameter 401 is a logout request 1101, the session information management means 910 starts logout processing. Session information management means 910 requests logout 1
It is checked whether or not the session ID cccc 2222 in 101 is stored in the session information storage unit 902, and if the data is valid, the DB access unit is acquired. (2-3) The DB request execution unit 909 uses the DB access unit 907 to
Generate a B logout request 1102. (2-4) The DB communication unit 904 outputs a DB logout request 1102 to the DB 804. (3) DB logout response 1103 When the DB logout request 1103 is input, the DB 804 performs logout processing, and after the processing is completed, the DB logout response 1103.
Is returned to the relay device 803. (4) Logout Response 1104 When the DB 804 returns the DB logout response 1104 from the DB 804, the relay device 803 internally performs the following processing and outputs the logout response 1104 to the network 802. (4-1) The DB logout response 1104 is input to the DB communication unit 904. (4-2) The DB request execution unit 909 instructs the DB logout response 1104 to delete the session information of the corresponding session ID cccc2222. (4-3) Session information management means 910 is DB request execution means 909
From the session information storage means 902, and deletes the set of the DB access means 907 corresponding to the session ID from the session information storage means 902.
Remove.

FIG. 13 shows the configuration of the session information storage means 902 and the deletion processing at this time. 1301,130
The table consisting of 2 is the state before deletion, and the user aaaaa, bbbbb, ccc
There are three cc sessions, each aaaa000
0, indicates that the session ID of bbbb1111, cccc2222 has been given. Since the DB access means is stored in the login information, data indicating the connection state and the like are originally included in the login information. However, here, aaaaa is described for convenience.

[0092] Here, a case is shown in which the user and the session have a one-to-one correspondence, but in the present embodiment, there may be a plurality of sessions for the user. A table composed of 1303 and 1304 shows the configuration of the session information storage unit 902 after ccccc logs out and deletes the session information. In FIG. 13, reference numeral 1301 denotes a session ID for distinguishing a session between a terminal and a DB. 1302 is login information for storing the DB access means.

Here, when the user ccccc logs out, the session information management means 910 session ID (cccc222)
The part corresponding to (2) is deleted from the session information storage means 902. This state is indicated by 1303 and 1304. (4-4) The terminal response generation unit 908 generates a logout response 1104, and outputs the logout response 1104 to the network 802 using the terminal communication unit 901. After the processing ends, the WWW request processing means 903 ends, and the DB access means 907 is also destroyed.
Thus, the logout process is completed. (5) Data Acquisition Request 1105 After Logout A process performed when a data acquisition request 1105 having a deleted session ID is output after logout will be described. For example, such a request may be made when a screen during session establishment is viewed after logout using a function of redisplaying a previously displayed page on the WWW browser after logout. Data acquisition request 1105 from terminal is network
Output to 802. The fields of the data acquisition request 1105 are the same as those of the data acquisition request 305 of the first embodiment. (6) Error response 1106 The relay device 803 sends a data acquisition request 1105 from the network 802.
Is input, the following processing is performed internally, and an error response is
1106 is output. (6-1) First, a data acquisition request 1105 is input to the terminal communication means 901. (6-2) In case of data acquisition request, session information management means 9
10 checks whether the session ID in the data acquisition request 1105 is stored in the session information storage means 902.
In this case, the search fails because the data being searched for does not exist. (6-3) When the search fails, the terminal response generation unit 908 generates an error response 1106. The screen of the error response 1106 may be an error screen, a screen requesting a login, or the like. (6-4) The terminal communication means 901 sends an error response 110 to the terminal 801.
Send 6

As described above, in the present embodiment, the DB request execution unit of the relay device deletes the corresponding session information from the session information storage unit according to the logout response, thereby reducing the storage capacity of the session information storage unit. Since it is not possible to log in using only the session number after logout, it is possible to prevent other malicious users from referring to, adding, or updating inaccessible information in the DB.

(Embodiment 4) Hereinafter, a fourth embodiment of the present invention will be described.

FIG. 10 is a block diagram showing the configuration of this embodiment.
See Figure 14.

In FIG. 14, steps 1401 to 1405 are the same as steps 801 to 805 of the second embodiment. However, the terminal a 1401 is the same as the terminal 801. In FIG. 14, network 1
The terminal b1406 is connected to 402. Terminal b1406 is the same as terminal 801 of the second embodiment.

In addition, the present embodiment is different from the first embodiment in that a login ID field is added to the session information storage means 902 and the login request.

Hereinafter, the operation of this embodiment will be described with reference to FIG.
This will be described with reference to FIG.

FIG. 15 is a sequence diagram showing the operation of the present embodiment.

First, the user aaaaa of the terminal a logs in. The processes 1501 to 1504 are the same as the processes 801 to 804 in the first embodiment except that the contents of the data to be registered and the like are different. However, in this case, the configuration of the session information storage means is as shown in FIG. 16, and the user aaaaa who made the login request is registered.

In FIG. 16, session ID 1601 and login information 1602 are the same as 601 and 602, respectively. 1603 is a login ID.

Next, the terminal b logs in using the same login ID aaaaa.

At this time, the user of the terminal b has the login ID aa
When the login of aaa is instructed, a login request 1505 is output to the network 1402. For the relay device 1403,
When the login request 1505 is input from the network, the relay device 1403 internally performs the following processing, and outputs a login abnormal response 1506 to the terminal b via the network 1402. (6-1) First, a login request 1505 is input to the terminal communication means 901. (6-2) The session information management means 910 checks whether or not the login ID in the login request 1505 is stored in the session information storage means 902. In this case, the search is successful because the data to be searched exists. (6-3) If the search is successful, the terminal response generation unit 908 generates a login abnormal response 1506. Login abnormal response
The screen 1506 may be an error screen or a screen requesting a login. (6-4) The terminal communication means 901 sends a login abnormal response 1506 to the terminal b1406. Terminal b1406 responds to abnormal login
Upon receiving 1506, the screen is displayed, so that the user of the terminal b can also know that fact.

When the login ID is stored in the session information storage means as described above, if the login ID is included in the data acquisition request during the session, the correspondence between the login ID and the session ID is made every time the request is made. If another user uses the same session ID, it will not be possible to access because the login ID is different.

As described above, in the present embodiment, the login ID is stored in the session information storage means of the relay device, and the login ID is checked at the time of login, so that one user can use the other user while using. Can log in with the same login ID and access data,
The effect of improving security is obtained.

(Embodiment 5) Hereinafter, a fifth embodiment of the present invention will be described. The overall configuration of the present embodiment is the same as that of FIG.
The composition of 03 changes.

FIG. 17 shows relay apparatus 803 in the fourth embodiment.
Is shown.

In FIG. 17, steps 1701 to 1710 are the same as steps 901 to 910 of the second embodiment, respectively. Reference numeral 1711 denotes a timer unit that manages a timer and starts a set process when a timer time comes.

The operation of the present embodiment will be described below with reference to FIG. 18 showing the sequence and FIG. 19 showing the data structure of the session information storage means 1702. (1) Login processing (1801 to 1804) First, when the user instructs login from the terminal 801, a login request 1801 is output from the terminal 801 to the network 802. When a login request 1801 is input from the network to the relay device 803, the following processing is performed inside the relay device 803, and a login response 1804 is output. A sequence of a DB login request 1802 and a DB login response 1803 occurs in the same way as in the second embodiment, but since these are the same as those in the second embodiment, the description is omitted. (1-1) The login request 1801 is input to the terminal communication means 901. Thereafter, relay apparatus 803 performs the same processing as in the second embodiment, and outputs DB login request 1802. In contrast,
The DB 804 performs a login process and outputs a DB login response 1803 to the relay device 803. (1-2) At this time, if the result transmitted by the login means 906 is OK, the session information management means 910 generates a session ID, and sets the set of the session ID and the DB access means 907 in the WWW request processing means 903. It is stored in the session information storage means 902 outside.

FIG. 19 shows the structure of the session information storage means 902 according to the fourth embodiment. 1901 is a session ID and 1902 is a login ID, which are the same as in the second embodiment. On the other hand, 1903 is a field for storing the login time. In the table of FIG. 19, the user aaaa
This indicates that there are three sessions of a, bbbbb, and ccccc, and session IDs of aaaa0000, bbbb1111, and cccc2222 are given. Since the DB access means 907 is stored in the login information, it originally includes data indicating the connection state, but here, for convenience, aaaaa
I wrote it with a login ID.

Here, when the user aaaaa logs in,
As in the second embodiment, the session information management unit 910 generates a session ID (aaaa0000) using a random number or the like, and associates the session ID with the login ID of the user to store the session information.
Is stored in Then, the time at this time is acquired, and this time is stored in the login time field corresponding to the session ID. (1-3) The subsequent processing is performed in the same manner as in the second embodiment, and the relay device 803 outputs a login response 1804 to the terminal 801.

The time at which the login response times out is stored and transmitted, and when the terminal issues a request after this time, the terminal performs a re-login process or a process of outputting an error to the terminal. It is also possible to indicate to the user of the request that the request is impossible. (2) Timer setting 1805 When the login process ends, the session information management unit 1710
The timer means 17 starts a timer after a timeout time set in some form from the current time, and performs processing for deleting session information of session IDaaaa0000.
Set 11 The timeout period is 1 for the entire system.
It is also possible to use individual values or set for each user and acquire from the DB. In this case, login time 13: 0
0, the timeout time is 2 hours. Then the terminal
Access 1806 is performed from 801 to the relay device 803. (3) Timer detection 1807 Only the timeout period from login, timer setting 18
At the time set at 05 (15:00 in this case), the timer unit 1711 activates the session information management unit and starts deleting the session information of the timer. When the session information management means 1710 is activated, the session ID
Start deleting session information for. As a result, the data in the session information storage unit 902 is in a state where the session information of the session ID aaaa0000 is deleted as shown in the tables 1904, 1905, and 1906. (4) Data Acquisition Request 1808 After the timer time arrives, if the user selects a process to acquire data,
Output to 802. (5) Error response 1809 The relay device 803 sends a data acquisition request 1808 from the network 802.
Is input, since the data of the corresponding session ID does not exist in the session information storage unit 902, the same process as that for the data acquisition request 1105 of the third embodiment is internally performed, and an error response 1809 is output.

In the present embodiment, the timer means is used, and at the time of the timer, the timer means activates the session information management means to delete the corresponding session. In addition, a similar function can be realized by performing a process of deleting all data of the session information storage unit that has passed the timer time. Since the script on the WWW usually starts operating in response to a request from the terminal, this method also has an effect of facilitating implementation.

It is also possible to limit the data of the session information storage means to be deleted at the time of access to only the session of the accessing user. Since the amount of processing for each processing is smaller than that of the above processing, the effect of quick response can be obtained.

In the present embodiment, the start time of the timer is set to a time after the login time by the timeout time. However, it can be easily analogized that the same effect can be obtained by starting the timer periodically. .

In the present embodiment, an error screen is returned to the terminal when a request after timeout has been received.
The same effect can be obtained by logging in.

In the present embodiment, the time-out time is determined from the login time, but a similar effect can be obtained by setting the starting point to the last access time. This function can be realized by rewriting the time field of the session information management means every time the user accesses.

In the present embodiment, the login time is stored in the session information storage means. However, it can be easily analogized that the same effect can be obtained even when the login time is used as the time when the timeout occurs.

As described above, in this embodiment, the login time is stored in the session information storage means at the time of login, the timer is set to the timeout time, the session information management means is activated, and the corresponding session is deleted. , Reducing the storage capacity of the session information storage means,
In addition, by limiting the accessible time of one session, it is possible to obtain the effect of limiting the time when unauthorized access is performed by impersonation and reducing damage.

(Embodiment 6) Hereinafter, a fifth embodiment of the present invention will be described.

The overall configuration of the present embodiment is shown in Embodiment 4.
This is the same as FIG.

The internal configuration of relay apparatus 1403 is the same as FIG. 9 showing the internal configuration of relay apparatus 803 of the second embodiment.
The present embodiment is different from the second embodiment in that a client identifier for identifying the terminal 1401 is stored in a login request / data acquisition request and session information storage unit as described later.

The operation of this embodiment will be described with reference to FIGS.
This will be described with reference to FIG. (1) Login request 2001 First, when the user baaaa performs a login operation at the terminal 1401, the login request 2001
Output for 02.

FIG. 21 shows the field configuration of the login request 2001.

In FIG. 21, the field configuration of the requests 2101 to 2103 is the same as the field configuration 401 to 403 of the login request 301 of the first embodiment shown in FIG. 2104 is a client identifier. As the client identifier,
IP addresses, port numbers, machine names, domain names, phone numbers, etc. can be used.

When HTTP is used, it may be included as an HTTP attribute. When the network is an IP network, if the terminal is reachable from the network, the IP address can be obtained by the relay device 1403 without the client identifier 2104 field. Is possible. (2) DB login request 2002 to login response 2004 When a login request 2001 is input from the network to the relay device 1403, the same process as the login process of the second embodiment is performed inside the relay device 1403. A login response 2004 is output.

At this time, the configuration of the session information storage means 902 is shown in FIG.

In FIG. 22, reference numerals 2201 and 2202 denote session IDs and login information, respectively, which are the same as those in the second embodiment. In addition, in this embodiment, a client identifier 2203 and a login ID 2204 are stored. in this case,
Assuming that the user aaaaa has the terminal a1401 and the terminal b1406, first, the information of the aaaaa and the terminal a at the top of FIG. (3) Login request 2005 This time, the user aaaaa logs in similarly at the terminal b1406. Then, a login request 2005 is output to the relay device 1403. (4) Login response 2006 Login request from the network 1402 to the relay device 1403 2005
Is input, the following processing is performed inside the relay apparatus 1403, and a login response 2006 is output to the terminal 1401. (4-1) The login request 2005 is input to the terminal communication means 901. At this time, the WWW request processing means 903 is activated. (4-2) According to the request parameter 401, the request is a login request 20
If it is 05, the session information management means 910 starts the login process. (4-3) The session information management means 910 searches for data with the same login ID. At this time, the search succeeds because there is already login data from the terminal a1401. Also, at this time, the session information management means 910 generates a new session ID (in this case, cccc2222) because the client identifier is different from that of the searched data, and
Copy and store the login information of the searched data in the ID. Similarly, a login ID and a client identifier are also stored. (4-4) The terminal response generation unit 908 generates the login response 2006, and the terminal communication unit 901 outputs the login response 2006 to the terminal b1406. (5) Re-login request 2007, re-login response 2008 Next, processing when a log-in request is made again will be described.
The re-login request 2007 is exactly the same as the log-in request 2005. At this time, the relay device 1403 performs the same process as that for the login request 2005. However, in this case, since both the login ID and the client identifier are the same between the data searched by the session information management unit 910 and the re-login request 2007, a new session ID is not generated and the existing session ID is included. The response is output from the relay device 1403 as a re-login response.

It is also possible to return an error in response to a re-login request. (6) Data Acquisition Request 2009, Error Response 2010 Next, processing when a data acquisition request is made using a session ID of a different terminal will be described.

FIG. 23 shows the field configuration of the data acquisition request.

In FIG. 23, the request parameter 2301 and the session ID 2302 are the same as the fields 701 and 702 in FIG. 7 for the field configuration of the data acquisition request in the second embodiment. 2303 is a client identifier indicating terminal identification information.

First, the terminal b1402 has the session ID cccc22
When 22 is assigned, in the data acquisition request 2009, the data acquisition request 2009 is made using the session ID aaaa0000 of the terminal a1401. In contrast, repeater 1403
Performs the following processing internally and returns an error response 2010. (6-1) First, a data acquisition request 2009 is input to the terminal communication means 901. At this time, the session ID contains aaaa0000, and the client identifier contains the address of terminal b. (6-2) In case of data acquisition request, session information management means 9
10 checks whether the session ID in the data acquisition request 2009 is stored in the session information storage means 902.
In this case, the client identifier for the request session ID aaaa0000 is for the terminal a, and therefore is different from the client identifier for the request. Therefore, the search fails. (6-3) If the search fails, the terminal response generation means 908 generates an error response 2010. As the screen of the error response 2010, an error screen, a screen requesting a login, or the like can be considered. (6-4) The terminal communication means 901 sends an error response 20 to the terminal 1401.
Send 10

When the terminal uses the WWW, by storing the history of the URL requested from the terminal in the session information storage means, more strict session management can be performed for each terminal.

Although the client identifier is exchanged in plain text in the present embodiment, the same effect can be obtained by providing the relay device with an encryption / decryption mechanism, encrypting the client identifier, and exchanging with the terminal. In addition, it can be easily analogized that an effect that the name or address of the terminal is not immediately known can be obtained even when the communication is intercepted by a third party.

As described above, in the present embodiment, when the terminal can be identified from the relay device, the terminal identifier and the login ID are stored in the session information storage means, and are compared with the client identifier of the login request at the time of login. By not performing the login process for the user with the same login ID, the response time to the login by the second and subsequent terminals can be reduced, and the number of connections between the relay device and the DB can be reduced. .

Also, by not generating a session when the same user logs in from the same terminal, 2
It is possible to prevent multiple logins and reduce the storage capacity required for the session information management means.

Further, by comparing the client identifier at the time of the data acquisition request, it is possible to return an error when the session ID is used in another terminal, and it is possible to prevent spoofing by another terminal.

(Embodiment 7) Hereinafter, a seventh embodiment of the present invention will be described.

The configuration of the present embodiment is the same as the configuration of the second embodiment.

In the present embodiment, a request identifier uniquely assigned to identify a request in a session after login as described later is stored in a login response / data acquisition request / data acquisition response and session information storage. It differs from the second embodiment in that it is stored in the means.

Hereinafter, the operation of the present embodiment will be described with reference to FIGS.
This will be described with reference to FIG.

In FIG. 24, there is a circle on the line of the relay device, which indicates a request identifier relating to the session of the terminal in the session information storage means 902 in the relay device 803.

First, login request 2401 to DB login response
The processes up to 2403 are the login requests 301 to DB of the second embodiment.
This is the same as the processing up to the login response 303. (1) Login response 2404 When the DB login response 2403 is input, the following processing is performed inside the relay device 803. (1-1) The DB login response 2403 is input to the DB communication unit 904. (1-2) A notification that the DB request execution unit 909 has received the DB login response 2403 from the DB communication unit 904 is received. (1-3) The session information management unit 910 stores the session information matching the login request 2401 in the session information storage unit 902.
Search from If found, an error occurs due to double login, but if not found, session information is created and stored in session information storage means 902.

This part is shown in the field configuration diagram of the session information storage means 902 in FIG. In this case, before the login of aaaaa, the users bbbbb and ccccc have logged in, and the status is shown in 2501 to 2503. Here is session I for 2501,2502
Both D and the login information are the same as 601 and 602 in the first embodiment. The request identifier 2503 is a character string assigned to identify a series of requests in the same session. In the present embodiment, a description will be given in the form of starting from 1 and increasing by 1 each time the terminal 801 makes a request after the start of a session.However, such as a linear congruential expression for random number generation or the current time, Any string of alphanumeric characters or symbols that can identify the request can be used.

Next, when the user aaaaa logs in, the number of rows of the aaaaa is increased in the session information storage means 902 as shown at 2504-2506. At this time, the session ID aaaa0000 and login information assigned to the user aaaaa are stored in 2504 and 2505, respectively. At this time, since the request is the first request, 1 is stored in the request identifier 2506. (1-4) The terminal response generation unit 908 generates a response from the data of the DB request execution unit 909, and outputs a login response 2404 to the network 802 using the terminal communication unit 901. At this time,
The session ID and the request identifier (1 in this case) are stored in the login response 2404.

Next, a process in which the terminal 801 acquires data after login will be described. (2) Data Acquisition Request 2405 When the login response 2404 is received as in the second embodiment,
The user selects a process to be performed next, and a data acquisition request 2405 is output from the terminal to the network 802. FIG. 26 shows the field configuration of this data acquisition request 2405. In FIG. 26, the request parameters 2601 and 2602 and the session ID are the same as 701 and 702 in the second embodiment, respectively. Reference numeral 2603 denotes a request identifier for identifying a request in the session. Of these, both 2601 and 2603 must use the value stored in the login response 2504. (3) Data request 2406 The relay device 803 sends a data acquisition request 2405 from the network 802.
Is input, the following processing is performed internally, and the data request
2406 is output. (3-1) First, a data acquisition request 2405 is input to the terminal communication unit 901. (1001) (3-2) When the request parameter 2101 is a data acquisition request, the session information management unit 910 acquires the DB access unit if the data acquisition request 2405 is valid. At this time, the session information management unit 910 determines that the session ID in the data acquisition request 2405 is stored in the session information storage unit 902 and that the request identifier corresponding to the session ID is the same as that in the data acquisition request 2405. Only data acquisition request
It is determined that 2405 is valid. When the request identifier is used as the number of requests, the maximum number of accesses in one session is set here. If the request identifier exceeds the maximum number of accesses, the data acquisition request 2405 is invalidated and an error is generated. You can also respond to 801. The subsequent steps up to acquisition by the DB access unit 907 and output of a data request are the same as those in the second embodiment. (4) Data request 2406 to data acquisition response 2408 The data request 2406 and data 2407 are the same as in the second embodiment. In the processing after the data 2407 is input to the DB communication means, the processing of the session information management means 910 is performed in the second embodiment.
And different.

In the present embodiment, after receiving data 2406, session information management means 910 increments the request identifier of the corresponding data in session information storage means 902 by one and stores it.

This will be described with reference to 2504-2509 in FIG. Reference numerals 2504 to 2506 denote data of the session information storage unit 902 before the data acquisition request 2405 is input, and reference numerals 2507 to 2509 denote data of the session information storage means 902 after the data acquisition response 2408 is output. In this case, aaaaa makes a data acquisition request 2405, and the session ID aaaa0
Since 000 is stored, the request identifier corresponding to the session ID aaaa0000 is incremented by one. Therefore, what was 1 in 2506 is 2 in 2509. (5) Second Data Acquisition Request 2409 to Data Acquisition Error 2410 Further, consider the case where the terminal outputs a data acquisition request having a session ID as the second data acquisition request 2409 but a different request identifier, Shows the response to In this case, since the terminal has received the request identifier 2 in the previous response, it is correct to store 2 in the request identifier in the second data acquisition request 2409. However, in this case, when the second data acquisition request 2409 is input to the terminal communication means 901 and the session information management means 910 compares the session ID and the request identifier with the data in the session information storage means 902, the session information storage Session IDaaaa0 in means 902
Since the request identifier for 000 is 2 and is different from request identifier 1 in the second data acquisition request, the second data acquisition request 2402 fails. Then, the terminal response generation means 908
Generates a data acquisition error 2410 and outputs it to the terminal.

Also, in the present embodiment, the session ID and the request identifier are provided separately, but the session ID is not provided, and the request identifier is uniquely assigned to the request to the relay device 803, so that the login is performed. When a response or a data acquisition response is generated, a request identifier is generated for each response, stored in the session information storage unit 902, and the terminal 801 receiving the response inputs the request storing the request identifier to the relay device 803. I do. This will be described below as a specific example.

FIG. 27 shows that the time is accessed using the entire request identifier for each request. In this case, the session information management means stores three types of data: a login name, a password, and an overall request identifier. In this case, the time of the latest access is used as the overall request identifier. It should be noted that, as the overall request identifier, any alphanumeric string that can uniquely identify the request to the server may be used other than the latest access time.

At time 11:30, terminal 801 requests 1 (user A,
When the password A) is transmitted to the relay device 803, the user logs in to the DB 804 in the same manner as described above. Thereafter, the session information management unit 910 uses the session information storage unit 902 to enter “user A” in the login name field and the password In the field, “Password A” is stored, and in the overall request identifier field, “11:30” of the current time is stored.
08 is the response 1 including the entire request identifier (the entire request identifier 11: 3
0) is input to the terminal 801 via the terminal communication means 901. Figure 2
In FIG. 7, the information stored in the session information storage means 902 at this time is collectively described as "user A-password A-11: 30".

Next, when the user makes a request included in Response 1 at time 11:45, the overall request identifier included in Response 1 is 1
Since it is 1:30, the request 801 from the terminal 801 (the entire request identifier 11: 3
0) is input to the relay device 803. Then, the relay device 803
Accesses the DB 804 and stores the session information storage means 8
The overall request identifier in 02 is updated to 11:45, and as a result, a state where the login name: user A, password: password A, and overall request identifier: 11:45 is stored. afterwards,
The response 2 (overall request identifier 11:45) is input to the terminal 801 via the terminal communication means 901.

Thereafter, it is assumed that the user makes a request included in response 1 at time 12:00. For example, when the response is described in HTML, the screen of the response 1 is displayed by a “back” button of the browser on the terminal 801, and at time 12:00 a link on the screen (this link indicates the entire request identifier) This is the case when you click (including). Then, in response 1, since the overall request identifier is 11:30, request 2 (entire request identifier 11:30) is input from the terminal 801 to the relay apparatus 802, but the stored login name: user A password:
Although the password A matches, an error signal is input to the terminal 801 because the stored overall request identifier 11:45 and the overall request identifier 11:30 included in the request do not match. In this case, the session information storage means 902 is not updated.

On the other hand, when the user makes a request included in the response 2 at time 12:00, the overall request identifier in the response 2 is 11:45.
Therefore, the request 3 (entire request identifier 11:45) is
Is input to At this time, since the entire request identifier 11:45 stored in the session information storage means matches the entire request identifier 11:45 in the request 3, the relay device 803 accesses the DB 804, and the relay device 803 The input response is processed, and response 3 (total request identifier 12:00) is input to the relay device 803.

Thus, even if the login information is obtained from the request identifier and the DB is accessed, access using the “return” button of the browser can be similarly prohibited.
Furthermore, since the request identifier changes each time, it is easy to obtain the effect that it is easy to prevent a malicious user from acquiring the request identifier of the formal user and illegally accessing the inaccessible information in the DB. It can be analogized to

In the present embodiment, the request identifier starts from 1 and is incremented by 1 for each request. However, the same effect can be obtained even if the relay device encrypts the request and creates a response. Can be easily analogized.

It can be easily analogized that the same effect can be obtained even when the request identifier includes the time at the time of receiving a request or outputting a response from the relay device.

As described above, in the present embodiment, the request identifier uniquely assigned to the request in the session is stored in the session information storage unit 902, and the request identifier is exchanged with various requests in response to the request. Even if the user's session ID is copied, if the request identifier does not match, the DB data cannot be obtained.Therefore, another malicious user can copy the session ID and copy the inaccessible information in the DB. Reference, addition, and updating can be prevented.

[0160]

According to the present invention, firstly, session information storage for maintaining the connection between the DB and the relay device and directly storing the DB access means used when accessing the DB after logging in to the DB. Means, when the relay apparatus processes a request from a terminal belonging to the session, obtains the DB access means from the session information storage means, and logs in the DB without logging in for the second and subsequent requests.
Access to the database, reducing response time and
This has the effect of reducing the load on the device.

Secondly, the present invention provides a WWW request processing means activating means for performing a request or a process for each session to a relay apparatus and activating a thread which disappears when the processing is completed, and a session for storing session information outside the thread. By providing the information storage means, the thread is started for each request, not for each session, and even if the DB access means inside the thread is discarded along with the discard of the thread, the session information storage means is used for processing the next request. Without logging in by acquiring the DB access means from the DB
Access to the database, reducing response time and
This has the effect of reducing the load on the device.

Third, according to the present invention, when a logout request is input to the relay device, the session information management means for deleting the session information identical to the session ID of the logout request from the session storage means when the logout request is input to the relay device.
The effect that the storage capacity of the session information storage means can be reduced is obtained.

Fourth, session information storage means for storing session information including the login ID in the relay device, and when there is session information having a session ID matching the one in the login request when the login request is input. By outputting a double login error response to the terminal, the storage capacity of the session information storage unit can be reduced, and the effect of preventing an unauthorized user from accessing from another terminal during access can be obtained.

Fifth, session information storage means for storing session information including the login time in the relay device, timer means for activating the set processing at the set time,
When a login request is input, session information with the current time as the login time is stored in the session information storage means, and a session information management means for setting a timer at the time-out time is provided. By starting the process to delete the relevant session information from the storage means,
The effect of reducing the storage capacity of the session information storage means, limiting the accessible time in one session, and limiting the time when unauthorized access to the relay device is performed, thereby reducing damage.

Sixth, session information storage means for storing information including the terminal identifier and the login ID when the terminal can be identified from the relay device, and comparing the client identifier of the login request at the time of login with the same login ID. The session information management means that does not perform the login process for the user of
The effect of reducing the number of connections between DBs is obtained.

Seventh, session information storage means for storing a request identifier, which is a character string for identifying a request in a session, as session information in the relay device in association with the session ID, and the terminal stores the session ID and the request identifier. By providing a session information management means that compares both the session ID and the request identifier when outputting a processing request that includes the processing request, and performs DB access corresponding to the processing request only when both are the same, a malicious user However, even if an unauthorized access is made to the relay device by using the session ID or the request identifier invalidated by the timeout or the subsequent processing request, the effect can be prevented.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating an entire configuration according to a first embodiment of the present invention.

FIG. 2 is a block diagram illustrating a configuration of a relay device according to the first embodiment of the present invention.

FIG. 3 is a sequence diagram showing the operation of the first embodiment of the present invention.

FIG. 4 is a field configuration diagram of a login request according to the first embodiment of the present invention.

FIG. 5 is a flowchart showing processing of a WWW request processing unit according to the first embodiment of the present invention.

FIG. 6 is a field configuration diagram of a session information storage unit according to the first embodiment of the present invention.

FIG. 7 is a field configuration diagram of a data acquisition request according to the first embodiment of the present invention.

FIG. 8 is a block diagram illustrating an overall configuration according to a second embodiment of the present invention.

FIG. 9 is a block diagram illustrating a configuration of a relay device according to a second embodiment of the present invention.

FIG. 10 is a flowchart showing processing of a WWW request processing unit according to the second embodiment of the present invention.

FIG. 11 is a sequence diagram showing an operation according to the third embodiment of the present invention.

FIG. 12 is a diagram illustrating a field configuration of a login request according to the third embodiment of the present invention.

FIG. 13 is a field configuration diagram of a session information storage unit according to the third embodiment of the present invention.

FIG. 14 is a block diagram illustrating an entire configuration according to a fourth embodiment of the present invention.

FIG. 15 is a sequence diagram showing an operation according to the fourth embodiment of the present invention.

FIG. 16 is a field configuration diagram of a session information storage unit according to the fourth embodiment of the present invention.

FIG. 17 is a block diagram illustrating a configuration of a relay device according to a fifth embodiment of the present invention.

FIG. 18 is a sequence diagram showing an operation according to the fifth embodiment of the present invention.

FIG. 19 is a diagram illustrating a field configuration of a session information storage unit according to the fifth embodiment of the present invention.

FIG. 20 is a sequence diagram showing the operation of the sixth embodiment of the present invention.

FIG. 21 is a diagram illustrating a field configuration of a login request according to the sixth embodiment of the present invention.

FIG. 22 is a diagram illustrating a field configuration of a session information storage unit according to the sixth embodiment of the present invention.

FIG. 23 is a field configuration diagram of a data acquisition request according to the sixth embodiment of the present invention.

FIG. 24 is a sequence diagram showing an operation according to the seventh embodiment of the present invention.

FIG. 25 is a diagram illustrating a field configuration of a session information storage unit according to the seventh embodiment of the present invention;

FIG. 26 is a field configuration diagram of a data acquisition request according to the seventh embodiment of the present invention.

FIG. 27 is a data transition diagram in the session information storage means according to the seventh embodiment of the present invention.

FIG. 28 is a block diagram showing the entire configuration of a conventional example.

FIG. 29 is a block diagram showing an internal configuration of a relay device in a conventional example.

FIG. 30 is a field configuration diagram showing a configuration of session information storage means in a conventional example.

[Explanation of symbols]

 101 Terminal 102 Network 103 Relay device 104 DB 105 Communication path between relay device and DB 106 Relay device control means 107 Session information storage means 108 Login means 109 DB access means 110 DB communication means 201 Terminal communication means 202 Session information management means 203 Terminal response generation means 204 DB request execution means 301 Login request 302 DB login request 303 DB login response 304 Login response 305 Data acquisition request 306 Data request 307 DB data 308 Data acquisition response 401 Request parameter 402 Login ID 403 Password 601 Before data addition Session ID 602 Login information before adding data 603 Session ID after adding data 604 Login information after adding data 701 Request parameter 702 Session ID 801 terminal 802 Network 803 Relay device 804 DB 805 Communication path between relay device and DB 901 Terminal Communication means 902 Session information storage means 903 WWW request processing Means 904 DB communication means 905 WWW request processing means activation means 906 Login means 907 DB access means 908 Terminal response generation means 909 DB request execution means 905 910 Session information management means 1101 Logout request 1102 DB logout request 1103 DB logout response 1104 Logout response 1105 Data acquisition request 1106 Error response 1201 Request parameter 1202 Session ID 1301 Session ID before data deletion 1302 Login information before data deletion 1303 Session ID after data deletion 1304 Login information after data deletion 1401 Terminal a 1402 Network 1403 Relay device 1404 DB 1405 Communication path between relay device and DB 1406 Terminal b 1501 Login request 1502 DB login request 1503 DB login response 1504 Login response 1505 Login request 1506 Login abnormal response 1601 Session ID 1602 Login information 1603 Login ID 1701 Terminal communication means 1702 Session information Case Means 1703 WWW request processing means 1704 DB communication means 1705 WWW request processing means activation means 1706 Login means 1707 DB access means 1708 Terminal response generation means 1709 DB request execution means 1710 Session information management means 1711 Timer means 1801 Login request 1802 DB login request 1803 DB login response 1804 Login response 1805 Timer setting 1806 Access 1807 Timer detection 1808 Data acquisition request 1809 Error response 1901 Session ID 1902 Login ID 1903 Login time 2001 Login request 2002 DB login request 2003 DB login response 2004 Login response 2005 Login request 2006 Login response 2007 Re-login request 2008 Re-login response 2009 Data acquisition request 2010 Error response 2101 Request parameter 2102 Login ID 2103 Password 2104 Client identifier 2201 Session ID 2202 Login information 2203 Client identifier 2204 Login ID 2 301 Request parameter 2302 Session ID 2303 Client identifier 2401 Login request 2402 DB login request 2403 DB login response 2404 Login response 2405 Data acquisition request 2406 Data request 2407 DB data 2408 Data acquisition response 2409 Second data acquisition request 2410 Data acquisition error 2501 Before login Login ID before login 2502 Login information before login 2503 Request identifier before login 2504 Session ID after login 2505 Login information after login 2506 Request identifier after login 2507 Session ID after data acquisition 2508 Login information after data acquisition 2509 Data acquisition Request identifier after 2601 Request parameter 2602 Session ID 2603 Request identifier 2701 Terminal 2702 Network 2703 Relay device 2704 DB 2801 Terminal communication means 2802 Session information management means 2803 Login means 2804 Session information storage means 2805 Terminal response generation means 2806 DB request execution means 2901 Session ID 2902 Login ID 2903 Password 2904 Connection destination

 ──────────────────────────────────────────────────の Continuing on the front page (72) Inventor Sachiko Takeshita 1006 Kadoma Kadoma, Kadoma City, Osaka Prefecture Inside Matsushita Electric Industrial Co., Ltd. (72) Michitoshi Ogasawara 1006 Kadoma Kadoma, Kadoma City, Osaka Pref. (72) Inventor Hiroshi Uranaka 1006 Kazuma Kadoma, Osaka Prefecture F-term in Matsushita Electric Industrial Co., Ltd. 5B085 BC01 BG07 5B089 GA19 GB01 HA10 JA35 KA12 KA17 KB13 KE03 KG03

Claims (32)

[Claims] 1. A network, a terminal connected to the network and outputting a login request, a relay device connected to the network and receiving the login request,
A database that is connected to the relay device and that can store and refer to data; the relay device includes a login unit configured to log in to the database in response to the login request; and a virtual device between the terminal and the relay device in response to the login request. Device that generates a session ID for identifying the session, and a DB access device that maintains a connection between the relay device and the database after login. And a session information storage means for storing session information including a set of the DB access means corresponding to the session ID. 2. The terminal control means for inputting the log-in request including a log-in ID, the relay device control means, and the log-in to a database according to the input log-in request.
Login using ID, and if login is successful,
2. The relay device according to claim 1, further comprising: a login unit that generates a DB access unit; and a session information management unit that generates the session ID and stores the DB access unit in the session information storage unit. . 3. The relay device according to claim 1, wherein the session information management means outputs a response including the session ID to the terminal in response to the login request. 4. The relay device according to claim 1, wherein the network is an IP network such as the Internet. 5. The relay device according to claim 1, wherein the terminal is a mobile phone or a mobile terminal capable of communicating with the network. 6. The database access means includes operation state information of the relay device generated after logging in to the database, and indicates a connection between the database and the relay device when executing a request to the database. The relay device according to claim 1, wherein the relay device is an object serving as an identifier. 7. A network, a terminal connected to the network and outputting a login request, a relay device connected to the network and receiving the login request, and a relay device connected to the relay device for storing and referencing data. A database capable of communicating with the terminal, and a session in which a state in which a virtual connection is maintained between the terminal and the relay device in response to the login request, Session information storage means for storing session information, which is information about the session, and WWW request processing means which is activated at the time of the request of the terminal or at the start of the session, performs processing for the request of the terminal, and disappears when the processing is completed Even if the WWW request processing means terminates the processing, Relay apparatus management unit can store the DB access means for maintaining the connections between the said relay device database by retracting the DB access unit to the session information storage unit. 8. The WWW request processing means includes: a login means for logging in to a database in response to the login request; maintaining a connection between the relay device and the database after the login; and operating state information of the relay device; It becomes an identifier indicating a connection at the time of processing the request to the database, and disappears when the WWW request processing means disappears.
The relay apparatus according to claim 7, further comprising: a DB access unit; and a session information management unit that generates the session ID and stores the DB access unit in the session information storage unit. 9. A terminal communication means for inputting the login request including a login ID, a WWW request processing means activation means for activating the WWW request processing means in response to the input login request, and using the login ID for a database. A login means for generating the DB access means upon successful login and a session information management means for generating the session ID and storing the DB access means in the session information storage means; The relay device according to claim 7, wherein 10. A terminal for outputting a processing request including the session ID to the relay device via the network, terminal communication means for inputting the processing request, and the DB access means corresponding to the session ID. The session information management means obtained from the session information storage means, a request for the database in response to the processing request as a DB processing request, using the DB access means
DB request execution means for making a DB processing request, DB communication means for communicating with the database,
8. The relay device according to claim 1, further comprising: terminal response generation means for generating a response to the terminal based on a response to the DB processing request; and terminal communication means for outputting a response to the terminal. . 11. The session information is the login ID.
The relay device according to claim 1, further comprising: 12. When the terminal outputs a processing request including the session ID and the login ID to the relay device,
The session information management unit refers to the session information corresponding to the session ID in the session information storage unit, and the login included in the session information
The relay device according to claim 11, wherein a process corresponding to the processing request is performed when an ID matches the login ID included in the processing request. 13. When the login request is input,
The session information management unit performs an abnormal response or a response prompting a login when the session information including a login ID that matches the login ID included in the login request is present in the session information storage unit. The relay device according to claim 11. 14. The terminal outputs a logout request including the session ID to the relay device via the network, and when the logout request is input to the relay device, the session information management means transmits the logout request to the relay device. 3. The relay device according to claim 2, wherein data including the session ID included in the logout request is deleted from the information storage unit. 15. The relay device, further comprising: timer means for activating a process set at a set time, wherein when the time is stored in the session information, the timer is set and the set time is set. 2. The relay device according to claim 1, wherein the timer unit is activated when the time comes, and a process of deleting the corresponding session information from the session information storage unit is activated. 16. The relay device according to claim 1, wherein the session information includes a time. 17. The method according to claim 17, wherein the time is a time at which the terminal logs in, the login request is input to the relay device, and the session management unit stores the session information in the session information storage unit. 17. The relay device according to claim 16, wherein a current time is stored in the time of the session information. 18. The session information management means, wherein the time is the last access time of the terminal, and when the processing request is input to the relay device or when a response to the processing request is output. 17. The relay device according to claim 16, wherein the time of the session information having the same session ID as the processing request is updated as a current time. 19. The session information management means periodically compares the current time with the time of the session information included in the session information storage means, and when a predetermined condition is met, the session information 17. The relay device according to claim 16, wherein information is deleted from the session information storage unit. 20. When the processing request or the login request is input to the relay device, the session information management means compares the time of the session information included in the session information storage means with a current time, and 17. The relay device according to claim 16, wherein, when a predetermined condition is met, the corresponding session information is deleted from the session information storage unit. 21. The session information management means compares the time with the time corresponding to the session ID of the request stored in the session information storage means, and if they do not match, gives an abnormal response or a response prompting a login. The relay device according to claim 20, wherein the relay device outputs the signal to the terminal. 22. The relay device according to claim 1, wherein the login request, the processing request, or the session information includes a client identifier for identifying a terminal. 23. The session information includes a login ID, the login request is input to the relay device, and the session information that matches both the login ID and the client identifier included in the login request is stored in the session information storage unit. 23. The relay device according to claim 22, wherein when included in the relay device, the terminal response generation unit generates a login response including the session ID included in the session information, and the terminal communication unit outputs the login response to the terminal. . 24. The session information includes a login ID, the login request is input to the relay device, and the session information in which the login ID included in the login request matches and the client identifier is different is stored in the session information storage unit. When included, the session information management means includes a second session ID and the second session ID.
Is generated, the client identifier included in the login request is stored in the second session information, and the remaining information of the second session information is copied from the session information. 23. The relay device according to claim 22, wherein: 25. When the processing request is input to the relay device, and when the session information included in the processing request and having the same session ID and a different client identifier is included in the session information storage unit, the terminal response generation unit may 25. The relay device according to claim 24, wherein a response indicating an abnormality is generated, and the terminal communication unit outputs the response to the terminal. 26. The relay device according to claim 1, wherein an identifier for uniquely identifying a request in the session is a request identifier, and the session information includes the request identifier. 27. When the terminal inputs a processing request storing the session ID and the request identifier to the relay device, the session information matching the session ID and the request identifier included in the processing request. 23. The relay device according to claim 22, wherein, when is stored in the session information storage unit, the session information management unit accesses the database. 28. When the session information that matches the session ID and the request identifier included in the processing request is stored in the session information storage unit,
27. The relay device according to claim 26, wherein the terminal response generation unit generates a response indicating an abnormality or a response prompting a login, and the terminal communication unit outputs the response to the terminal. 29. An identifier for identifying a request to the relay device as an overall request identifier, wherein the session information management means generates the overall request identifier and stores it in the session information, and stores the session information in the session information storage means. The information is stored, the terminal response generation unit generates a processing response that is a response to the processing request of the terminal storing the overall request identifier, and the terminal communication unit outputs the processing response. Item 2. The relay device according to Item 1. 30. When the terminal inputs the processing request storing the first overall request identifier to the relay device, using the overall request identifier in the processing response as a first overall request identifier, the session information When the session information corresponding to the overall request identifier is stored in a management unit, the session information management unit accesses the database using the DB access unit in the session information. 30. The relay device according to 29. 31. If the session information corresponding to the overall request identifier is not stored in the session information management means, the terminal response generation means outputs an abnormal response or a response prompting a login to the terminal. 31. The relay device according to claim 30, wherein 32. The relay device according to claim 1, wherein the relay device responds by encrypting the session ID, the request identifier, or the client identifier.