JP2005122222A - Cookie setting command processing method and apparatus - Google Patents

Abstract

A client device that cannot use a cookie can use the cookie equivalently.
When a request message includes a ciphertext URL (converted URL), the request message is sent to a decryption unit. The decryption unit 163 removes the mark “/ @ _ @ /” in the URL of the request message, decrypts the ciphertext, and reproduces the original URL and management number pair. The verification unit 164 looks up the management number table 131 using these URLs and management numbers, and acquires the corresponding session numbers. The session number management table 132 is looked up using the session number, cookie information is extracted, and a desired cookie value is obtained. The value of this cookie is included in the request message and returned to the application server 11 or the like.
[Selection] Figure 2

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a technique for enabling cookies transparently even in a web browser that cannot use cookies. In addition, the present invention relates to a technique that enables management of a web browser that cannot use cookies.
[0002]
[Background technology]
Mobile phones with a web browsing function have been used. In the web browsing software (web browser) of this mobile phone, cookies cannot be used, and session management using cookies cannot be performed. In such an environment, a web document is dynamically created and a session number or the like is given as an argument in a URL (Uniform Resource Locator) to enable session management. However, such a method cannot be used when a web document is not dynamically created. The same problem occurs when the client side is set not to use cookies from the viewpoint of security.
[0003]
The cookie is information written from the server to the client, and the client returns the cookie to the server under a predetermined condition at a later request. The server can manage sessions using cookies.
[0004]
That is, the server returns a response message to the client request message, and includes a cookie setting command in the header or document of the response message (indicated by reference numerals 1001 and 1002 in FIG. 10). When included in a document, it is described using a meta tag. The cookie setting command includes a cookie value, a path where the cookie value is returned, an expiration date, and the like. A client (web browser) that can accept a cookie accepts a cookie setting command and holds cookie information in a predetermined file. When the client holding the cookie sends a request message to the server and compares the request destination path with the cookie information path and there is a match, the cookie value 1003 as shown in FIG. Is included in the request message and sent to the server. The server receives the cookie value, performs processing according to the value, and returns a response message to the client.
[0005]
Refer to “http://home.netscape.com/newsref/std/cookie_spec.html” for details of the above cookies.
[0006]
The URL is a description format for specifying a server address and information stored in the server. The URL is a protocol for accessing the server, a network address (server name, port number, path), and the like. A query character string (method argument such as GET. Information is a program) is described.
[0007]
[Problems to be solved by the invention]
The present invention has been made in view of the above circumstances, and an object thereof is to provide a technology capable of processing cookies in a manner as if cookies were used even for a web browser that cannot use cookies. It is said.
[0008]
[Means for Solving the Problems]
According to this invention, in order to achieve the above-mentioned object, the configuration as described in the claims is adopted. Here, prior to describing the invention in detail, supplementary explanations of the claims will be given.
[0009]
That is, according to the present invention, in order to achieve the above-mentioned object, in the cookie setting command processing method: the step of extracting cookie information from the cookie setting command of the response message; and the URL in the transfer target document is extracted Converting to a new URL associated with the cookie information; transferring a transfer target document including the new URL to the client device; and determining a cookie value based on the URL included in the request from the client device. A step of extracting; a step of performing information processing based on the value of the cookie; and a step of transferring a document generated as a result of the information processing to the client device.
[0010]
In this configuration, a client device that cannot use a cookie can perform the same treatment as when a cookie setting command is equivalently sent and a cookie is used. The application server or the like can send a response message including a cookie setting command regardless of whether or not the client device is compatible with cookies.
[0011]
There are various types of cookie setting commands. The present invention can be applied to various modes of setting cookies. For example, it may be included in the header of the response message, or may be described by a meta tag in the response message document.
[0012]
The present invention can be realized not only as an apparatus or a system but also as a method. Of course, a part of the invention can be configured as software. Of course, a software product (recording medium) used for causing a computer to execute such software is also included in the technical scope of the present invention.
[0013]
DETAILED DESCRIPTION OF THE INVENTION
Examples of the present invention will be described below.
[0014]
FIG. 1 shows an embodiment of the present invention as a whole. In this figure, a web site 1 is provided with a web server 10 and an application server 11. Computer resources such as the web server 10 and the application server 11 are interconnected by, for example, a local area network (LAN) 12. The application server 11 is a normal one, and receives various requests from the web server 10 via an interface connection such as CGI (Common Gate Interface) and executes various processes. Further, the application server 11 manages the status information of the client device 2 using the cookie database 14 as usual. The web server 10 receives and processes a request message from the client device 2 in accordance with the HTTP protocol. However, the web server 10 has a cookie processing unit 15. The cookie processing unit 15 extracts cookie information from the cookie setting command of the response message from the application server 11, generates a new URL associated with the cookie information, and rewrites the original URL. Information that associates the rewritten URL with the cookie information is managed in the management information database 13.
[0015]
The client device 2 is, for example, a mobile phone having a web browsing function. Of course, other information terminals with a web browsing function can be used. The client device 2 and the website 1 are connected to each other through various communication networks 3 such as the Internet, a private communication network, and the like, to the extent applicable.
[0016]
FIG. 2 schematically shows the cookie processing unit 15. In this figure, the cookie processing unit 15 includes a header cookie information extraction unit 151, a header information update unit 152, a response message synthesis unit 153, and a meta tag cookie information extraction unit 154. , Link scanning unit 155, management number generation unit 156, URL / management number concatenation unit 157, encryption unit 158, link replacement unit 159, management information write / read unit 160, session number generation unit 161, session number storage unit 162, decryption A unit 163, a verification unit 164, and the like are included. The management information database 13 includes a management number table 131, a session number table 132, and the like. The management number table 131 includes information as shown in FIG. The session number table 132 includes information as shown in FIG. The cookie database 14 of FIG. 1 includes information as shown in FIG. The attributes associated with cookie information vary depending on how the cookie information is used. For example, when used as a session ID, it is a user name.
[0017]
The response message can include cookie information in the header or document as shown in FIG. The response message is divided into a header part and a document part. The header part is sent to the header cookie information extracting unit 151 and the header information updating unit 152. The header cookie information extraction unit 151 extracts a cookie setting command (1001 in FIG. 10) included in the header. The header information update unit 152 reflects a document link rewrite described later in the header information. For example, the content length of the header is changed. The updated header is sent to the response message combining unit 153. The response message composition unit 153 assembles a response message obtained by synthesizing a modified document and an updated header, as will be described later, and sends the response message to the client device 2 (FIG. 1).
[0018]
The document part of the response message is sent to the meta tag cookie information extracting unit 154, the link scanning unit 155, and the link replacing unit 159. The meta tag cookie information extraction unit 154 extracts a cookie setting command (1002 in FIG. 10) included in the document. The link scanning unit 155 detects a link (URL specified by an anchor tag) in a document. The detection result is sent to the management number generation unit 156 and the URL / management number connection unit 157. The management number generation unit 156 generates a new unique management number every time a link is detected. For example, the management numbers may be consecutive. The management number is sent to the URL / management number linking unit 157. The URL / management number concatenation unit 157 concatenates the link URL and the management number, and supplies them to the encryption unit 158. The encryption unit 158 sends the connection result to the link replacement unit 159. The link replacement unit 159 replaces the URL of the link in the document with the ciphertext that is the connection result. In this example, a predetermined mark such as “/ @ _ @ /” is added to the head of the ciphertext to clearly indicate that it is a ciphertext or a converted URL. The document in which the URL replaced from the link replacement unit 159 is replaced is sent to the response message combining unit 153, and the response message converted here is combined as described above.
[0019]
The processing is switched depending on whether the request message includes a normal URL or a ciphertext URL (converted URL). When the request message includes a normal URL, the session number generation unit 161 is notified, and the session number generation unit 161 newly generates a session number. This session number is, for example, a serial number. Of course, symbols other than numbers may be used. The session number storage unit 162 receives and stores the session number output from the session number generation unit 161 and the session number determined as described later based on the converted URL. The session number stored in the session number storage unit 162 is held in the management number table 131 together with the management number output from the management number generation unit 156 and the URL output from the link scanning unit 155. Further, the session number stored in the session number storage unit 162 is held in the session number table 132 together with the cookie information output from the header cookie information extraction unit 151 and the meta tag cookie information extraction unit 154.
[0020]
When the request message includes a ciphertext URL (converted URL), the request message is sent to the decryption unit 163. The decryption unit 163 removes the mark “/ @ _ @ /” in the URL of the request message, decrypts the ciphertext, and reproduces the original URL and management number pair. The verification unit 164 looks up the management number table 131 using these URLs and management numbers, and acquires the corresponding session numbers. The session number is stored in the session number storage unit 162, and the session number table 132 is looked up using this session number to obtain cookie information. If the paths match, the cookie value is included in the request message and returned to the application server 11 (FIG. 1) or the like. If there is no corresponding URL and management number pair, a null is output and the process ends.
[0021]
The application server 11 receives the value of the cookie and refers to the cookie database 14 to perform processing according to the attribute of the cookie, such as session management.
[0022]
Next, the operation of this embodiment will be described in detail.
[0023]
FIG. 6 mainly shows a processing flow of a request message in the cookie processing unit 15. Request messages are processed as follows:
[0024]
[Step S10]: A request message is received.
[Step S11]: It is determined whether the URL in the request message is a normal URL or a converted URL. In the case of a normal URL, the process proceeds to step S12. In the case of the converted URL, the process proceeds to step S14.
[Step S12]: The session number generation unit 161 is activated to generate a new session number.
[Step S13]: The newly generated session number is updated and written in the session number storage unit 162.
[Step S14]: The converted URL is decoded by the decoding unit 163.
[Step S15]: The management number table 131 is looked up using the management number obtained by decryption and the original URL. If there is a corresponding record, the process proceeds to step S16. If not, the process is canceled as an inappropriate request message (for example, falsified).
[Step S16]: The session number is extracted from the set of the management number, URL, and session number obtained by table lookup, and is updated and written in the session number storage unit 162.
[Step S17]: The tuple (record) of the read management number is invalidated. As a result, impersonation using a used conversion URL can be avoided.
[Step S18]: The session number table 132 is looked up with the URL and the session number, and the cookie matching the path is taken out.
[Step S19]: A cookie is incorporated into the request message and passed to the application server 11.
[0025]
FIG. 7 shows a flow when processing the cookie setting command of the response message, and the processing is as follows.
[0026]
[Step S20]: Cookie information is extracted from the cookie setting command. The cookie setting command itself is discarded.
[Step S21]: The session number and cookie information read from the session number storage unit 162 are written in the session number table 132.
[Step S22]: The URL is extracted from the document.
[Step S23]: A management number is generated for each URL. The management number is, for example, a serial number.
[Step S24]: The session number, URL, and management number read from the session number storage unit 162 are written in the management number table 131.
[Step S25]: Link the URL and the management number.
[Step S26]: The concatenation result is encrypted.
[Step S27]: Replace the original URL with the ciphertext.
[Step S28]: It is determined whether or not all URLs have been processed. If any URL remains, the process returns to step S22. If not, the process proceeds to step S29.
[Step S29]: The header is updated based on the document with the URL replaced.
[Step S30]: The response message is synthesized by concatenating the URL-replaced document and the updated header. The synthesized response message is sent to the client device 2.
[0027]
FIG. 8 mainly explains the flow of data when setting a cookie with a specific example. In this example, the URL of the request message is “hogehoge.cgi”. The URL itself is normal, i.e. not converted. In this case, a new session number is assigned. Of course, the URL of the request message may be converted. In that case, the corresponding session number is used.
[0028]
It is assumed that the request message is sent, for example, with the user name of the client device 2 as an argument.
[0029]
The application server 11 manages information sent from the user under the cookie “sid”. First, under “sid = 101”, the name of the user (for example, “ishida”) is stored in the cookie database 14. ). At the same time, the application server 11 sends a cookie setting command “Set-Cookie: sid = 101” (other cookie information is not shown) to the web server 10. Later, if the cookie “sid = 101” is sent to the application server 11 at the time of a request from the client device 2, the application server 11 can determine the name “ishida”.
[0030]
“Sid” means a “session ID” used by the application server 11 for the purpose of the application, but this is different from the “session number” used in the cookie processing unit 15 described above.
[0031]
In addition, in this example, the "next.cgi" as the URL of the anchor, have marked the text "Mr. ishida Hello" in the anchor tag.
[0032]
The cookie processing unit 15 of the web server 10 sends a response message (header and document) to the client device 2 after connecting the management number (also described as “clientID”) to the anchor URL. In practice, the concatenated URL and management number are encrypted, and are further marked with a predetermined symbol such as “/ @ _ @ /” and sent to the client apparatus 2. The management number and session number are managed by a management number table 131 and a session number table 132.
[0033]
FIG. 9 illustrates a data flow when a user who has received a response message including a converted URL follows a link using the converted URL, taking a specific example. First, the web server 10 receives a request message including a URL obtained by concatenating “next.cgi” and a management number (client = 123) from the client device 2. This URL is actually encrypted and marked with “/ @ _ @ /”. The cookie processing unit 15 of the web server 10 decrypts the ciphertext of the URL, reproduces the original URL and management number, and verifies with reference to the management information database 13. If the verification is successful, the session number is extracted from the management number table 131, and a desired cookie is extracted from the session number table 132 based on the session number and URL. This cookie is added to the request message and supplied to the application server 11. The application server 11 refers to the cookie database 14 based on the cookie (sid = 101), extracts data “user = ishida”, generates a text such as “Goodbye Ishiida”, and sends it to the web server 10. The cookie processing unit 15 of the web server 10 concatenates the management number to the anchor URL (in this example, “nextnext.cgi”), further encrypts it, adds a mark, and supplies it to the client apparatus 2 as a response message.
[0034]
This is the end of the description of the embodiment.
[0035]
The present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the spirit of the invention. For example, in the above example, the encryption number and the decryption unit are used to perform the encryption process / decryption process on the management number and the URL. The management number may be a serial number or a random number. Symbols other than numbers may be used.
[0036]
Since the cookie setting information is not used by the client device 2, it may not be sent to the client device 2 or may be sent as it is.
[0037]
Whether or not the client device 2 can use the cookie is verified, and the cookie processing of the present invention may be performed only when the cookie cannot be used.
[0038]
In addition, the cookie processing part (cookie processing unit 15) is provided in the web server 10, but may be provided in the application server 11 or provided between the web server 10 and the application server 11. Alternatively, it may be provided at the front end of the web server 10. Moreover, you may provide in the proxy server to which the client apparatus 2 is connected.
[0039]
In the above-described embodiment, the management number is linked to the URL of the link, the management number and the session number (client state management identifier) are associated by the management number table 131, and the session number and cookie information (cookie, path) , Expiration date, etc.) are related by the session number table 132. Then, the management number is reproduced from the URL included in the request message, and finally desired cookie information is acquired. However, only the session number may be used. That is, session management or the like may be performed using the session number.
[0040]
Also, the management number and cookie information may be directly related. That is, the management number table 131 may hold a set of management numbers and cookie information. When a plurality of cookie information has a common path, the plurality of cookie information is related to one management number.
[0041]
Further, the management number and the cookie information may be directly or indirectly associated, and instead of extracting the cookie information from the management number, one or a plurality of cookie information itself may be directly included in the URL for processing. In this case, encryption is preferable.
[0042]
Further, the converted URL may be included in an e-mail or the like and sent to the user. In this way, cookies can be used immediately.
[0043]
The numbers such as the management number and the session number can use various numeric strings, and it is obvious that symbols other than numbers (including alphabets and special symbols) may be used.
[0044]
【The invention's effect】
As described above, according to the present invention, an application that uses a cookie can be used as it is for a client device that cannot use a cookie. In addition, the state of the client device can be managed without using cookies or dynamic web documents.
[Brief description of the drawings]
FIG. 1 is a system diagram showing an embodiment of the present invention as a whole.
FIG. 2 is a block diagram illustrating a configuration example of a cookie processing unit according to the embodiment.
FIG. 3 is a diagram illustrating a management number table of a management information database.
FIG. 4 is a diagram illustrating a session number table of a management information database.
FIG. 5 is a diagram illustrating a cookie database.
FIG. 6 is a flowchart for explaining request message processing;
FIG. 7 is a flowchart for explaining response message processing;
FIG. 8 is a diagram for explaining a data flow in processing for setting a cookie;
FIG. 9 is a diagram illustrating a data flow in a process of following a link.
FIG. 10 is a diagram for explaining a cookie setting command for a response message.
FIG. 11 is a diagram illustrating a cookie of a request message.
[Explanation of symbols]
DESCRIPTION OF SYMBOLS 1 Website 2 Client apparatus 3 Communication network 10 Web server 11 Application server 13 Management information database 131 Management number table 132 Session number table 14 Cookie database 15 Cookie processing part 151 Header cookie information extraction part 152 Header information update part 153 Response message composition part 154 Meta tag cookie information extraction unit 155 Link scanning unit 156 Management number 156 Management number generation unit 157 URL / management number concatenation unit 158 Encryption unit 159 Link replacement unit 160 Management information write / read unit 161 Session number generation unit 162 Session number storage unit 163 Decryption unit 164 Verification unit 1001 Cookie setting command 1002 Cookie setting command 1003 Cookie

Claims (16)

Extracting cookie information from the cookie setting instruction in the response message;
Converting the URL in the transfer target document into a new URL associated with the extracted cookie information;
Transferring a transfer target document including the new URL to a client device;
Retrieving a cookie value based on the URL included in the request from the client device;
Performing information processing based on the value of the cookie;
And a step of transferring a document generated as a result of the information processing to the client device.   The cookie setting command processing method according to claim 1, wherein the new URL includes an original URL and a unique management identifier, and the cookie information is associated with the management identifier.   3. The cookie setting command processing method according to claim 2, wherein when the request with the new URL is received, the management number included in the URL is used, and thereafter, the request with the URL including the same management number is invalidated. .   The cookie setting command processing device according to claim 1, wherein the new URL is generated based on the original URL and the cookie information.   5. The cookie setting according to claim 1, wherein at least a part of the new URL is encrypted and sent to the client device, and the encrypted URL included in the request sent from the client device is decrypted. Instruction processing device. Means for extracting cookie information from the cookie setting instruction of the response message;
Means for converting the URL in the transfer target document into a new URL associated with the extracted cookie information;
Means for transferring a transfer target document including the new URL to a client device; means for extracting a cookie value based on a URL included in a request from the client device;
Means for performing information processing based on the value of the cookie;
A cookie setting command processing apparatus, comprising: means for transferring a document generated as a result of the information processing to the client apparatus; Means for sending a response message including a cookie setting command;
Means for extracting cookie information from the cookie setting command of the response message;
Means for converting the URL in the transfer target document into a new URL associated with the extracted cookie information;
Means for transferring a transfer target document including the new URL to the client device;
Means for retrieving the value of the cookie based on the URL included in the request from the client device;
Means for performing information processing based on the value of the cookie;
A cookie setting command processing apparatus, comprising: means for transferring a document generated as a result of the information processing to the client apparatus; In a server system including a web server and an application server connected to the web server,
Means for receiving a response message sent from the application server;
Means for extracting cookie information from the cookie setting command of the response message;
Means for converting the URL in the transfer target document into a new URL associated with the extracted cookie information;
Means for transferring a transfer target document including the new URL to the client device;
Means for retrieving the value of the cookie based on the URL included in the request from the client device;
And a means for sending the cookie value to the application server. Extracting cookie information from the cookie setting instruction in the response message;
Converting the URL in the transfer target document into a new URL associated with the extracted cookie information;
Transferring the new URL / document to be transferred to the client device;
Retrieving a cookie value based on the URL included in the request from the client device;
Performing information processing based on the value of the cookie;
A computer program used for causing a computer to execute a step of transferring a document generated as a result of the information processing to the client device. In the client state management method for managing the state of the client accessing the server,
Determining whether the URL of the request message specifies a status identifier;
Generating a state identifier when the URL of the request message does not specify a state identifier;
Converting the URL included in the response message document to specify the generated status identifier if the URL of the request message does not specify a status identifier;
When the URL of the request message specifies a state identifier, converting the URL included in the response message document to specify the state identifier;
Transmitting a response message obtained by converting the URL to the client.   The client state management method according to claim 10, wherein the converted URL includes a ciphertext obtained by encrypting an original URL plus information for specifying a state identifier.   The client status management method according to claim 10 or 11, wherein the converted URL includes a mark indicating that the URL has been converted.   11. The client state management method according to claim 10, wherein the converted URL includes a ciphertext obtained by encrypting an original URL plus a unique management identifier, and the management number is associated with the state identifier.   14. The client state management method according to claim 10, 11, 12, or 13, wherein the state identifier is associated with a cookie. In the client status management device that manages the status of clients accessing the server,
Means for determining whether the URL of the request message specifies a status identifier;
Means for generating a state identifier if the URL of the request message does not specify a state identifier;
Means for converting the URL included in the response message document to specify the generated status identifier when the URL of the request message does not specify the status identifier;
Means for converting the URL included in the response message document to specify the state identifier when the URL of the request message specifies the state identifier;
Means for transmitting a response message obtained by converting the URL to the client. In a client state management computer program used to manage the state of a client accessing a server,
Determining whether the URL of the request message specifies a status identifier;
Generating a state identifier when the URL of the request message does not specify a state identifier;
Converting the URL included in the response message document to specify the generated status identifier if the URL of the request message does not specify a status identifier;
When the URL of the request message specifies a state identifier, converting the URL included in the response message document to specify the state identifier;
A computer program for managing a client state, which is used for causing a computer to execute the step of transmitting a response message obtained by converting the URL to the client.

Images