JP2006053937A - Network service method and client server system for implementing the same - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a network service method capable of allowing both of a user and a service provider to provide and enjoy a specific service in safety. <P>SOLUTION: A server computer which is owned and managed by the service provider and a client computer which is used by the user whose compliance is confirmed by the service provider in advance, and in which a user identification file provided by the service provider is installed, are connected through a network. When the access is requested from the client computer, the presence or absence of the user identification file in the client computer is confirmed by the server computer, and the service provider provides the specific service to the user only with respect to the access request from the client computer on which the existence of user identification file is confirmed. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a network service method capable of receiving various services such as purchase order of items and use of a database by connecting from a client computer to a server computer via a network such as the Internet, and a client server for implementing the same. It is about the system.

  Conventionally, various services are provided through a network. For example, a user can access an order, purchase, and database of an item by accessing a service provider's home page through the Internet from a personal computer (personal computer) used by the user. You can receive specific services such as use and browsing.

  In such a network service, a specific service is provided on a specific web page linked to the homepage (hereinafter referred to as “user-only screen”). In order to prevent unauthorized item ordering, database use, etc. The service provider must provide user-specific information such as user address, name, age, occupation, workplace, job title, gender, telephone number, fax number, e-mail address, credit card number, etc. A user ID and a password set with the information and the service provider are requested, and access to the user-dedicated screen is permitted only when such user information is input.

  However, such user information may be intercepted by others on the network, and may be used improperly and cause a great deal of damage. In particular, user-specific confidential information such as credit card numbers is effective and convenient for confirming user eligibility, which is unknown to the service provider, but can be obtained by unauthorized acquisition and use by others. The damage to the user is extremely large. Of course, there are cases where the service provider suffers a great deal of damage, for example, the database is destroyed by access by another person who has illegally obtained user information.

  Conventionally, various security systems have been proposed, such as using a complicated encryption key to authenticate access rights, but more than authenticating access rights by identifying users (people) on the network. It is difficult to prevent the leakage of user information provided on the network, and an ultra-high security system that can effectively prevent the interception of user information requires a great deal of labor and cost for its development and infrastructure construction. Therefore, it cannot be adopted for general service providers who do not have financial power.

  The present invention provides a network service method capable of safely providing and enjoying a specific service for both users and service providers without causing such problems, and a client / server system capable of suitably implementing the same. Is intended to provide.

  In the present invention, a server computer owned and managed by a service provider and a client computer used by a user whose user eligibility has been confirmed in advance by the service provider and installed with a user identification file provided by the service provider When the client computer is connected via a network and there is an access request from the client computer, the server computer checks the existence of the user identification file in the client computer, and the existence of the user identification file is confirmed. A network service method is proposed in which a service provider provides a specific service to the user only in response to an access request from a client computer.

  In a preferred embodiment of such a network service method, the user identification file does not affect the existing program of the client computer by installing the user identification file, and includes a plurality of ASCII characters. A computer identification symbol. In addition, one or a plurality of computers owned by a user is one in which a user identification file is installed by the user or a service provider. The user qualification is confirmed by concluding a service use contract between the service provider and the user. This service use contract is, for example, an agency contract. The user qualification is confirmed when the user identification file is installed by the service provider, and the service provider visits the user to confirm the user qualification. Moreover, it is preferable that a service provider provides the user identification file of the same content with respect to all the users or several users who are going to recognize an access right. In addition, as a log-in condition for a user-dedicated screen for enjoying a specific service, the server computer requests input of user information that does not include user-specific confidential information. The user information is preferably a user ID and / or a password presented by a service provider. It is preferable that the server computer starts checking for the presence of a computer identification symbol in accordance with a login operation from the user information input screen to the user dedicated screen. Only when the presence of the computer identification symbol is confirmed, the server computer compares the entered user information with the user information stored in the database, and confirms the consistency, thereby confirming the user information from the authentication information input screen. Allow login to the dedicated screen. Further, it is preferable that the presence information of the user identification file is held in a cookie, and the held information in the cookie is lost when the connection to the network is terminated.

Further, in order to suitably implement such a network service method, the present invention connects a client computer owned by a user and a server computer owned and managed by a service provider via a network. A client / server system configured to be able to provide a specific service only in response to an access request from a client computer for which the existence of a user identification file has been confirmed. A computer owned by a qualified user and installed with a user identification file provided by the service provider;
When there is an access request from a client computer, the server computer can confirm the presence or absence of a user identification file contained in the client computer. The user identification file can be installed by installing the user identification file. It does not have any influence on the existing program and has a computer identification symbol that can be confirmed by the server computer, and the computer identification symbol is composed of a plurality of ASCII characters. We propose a client / server system that is characterized.

  In a preferred embodiment of such a client / server system, it is preferable that user identification files installed in a plurality of client computers have the same contents. The server computer preferably requests input of user information that does not include user-specific confidential information as a log-in condition for a user-dedicated screen for enjoying a specific service. This user information is preferably a user ID and / or password presented by the service provider. It is preferable that the server computer starts the confirmation of the presence of the computer identification symbol in accordance with the login operation from the user information input screen to the user dedicated screen, and only when the presence of the computer identification symbol is confirmed. It is preferable that the input user information is collated with the user information stored in the database, and the consistency is confirmed to allow the login from the authentication information input screen to the user dedicated screen.

  In the above network service method or client / server system, access right authentication is not performed by specifying the user (person) but by specifying the client computer itself. Therefore, confidential information unique to the user is not used as an authentication condition. Certain services are generally delivered via the Internet (WWW (World Wide Web), etc.) (for example, ordering and purchasing items (general delivery means (courier service, mailing, shipping, etc.)) Ordered or purchased electronic products (digital data, application software, music data, etc.) and database information (items) delivered (downloaded etc.) by physical products, products and electronic means (Internet, e-mail, etc.) Inventory information etc.)), but also provided through a network other than the Internet (for example, WAN etc.). Presence information in the user identification file is stored in a cookie, and the stored information in the cookie disappears when the connection to the network is terminated (for example, access to the home page is terminated), preventing the information from being intercepted from the network. .

  Further, in such a network service method or client / server system, the user identification file does not have any influence on the existing program of the client computer by installing this, and the browser display of the client computer It is provided with a computer identification symbol whose presence or absence can be confirmed on the screen. Specifically, the computer identification symbol is formed by enumerating a plurality of ASCII characters, and personalizes the computer in which the user identification file is installed. The user identification file is usually stored in a magnetic medium such as a diskette or CD-ROM, or provided to the user from the service provider as an attached file of an e-mail.

  The user qualification can be confirmed when a service use contract (for example, an agency contract) is concluded between the service provider and the user. The act of providing the user identification file from the service provider to the user itself also serves as a user-qualified confirmation act. For example, when the magnetic medium is delivered by a general delivery means such as mail, the user's address, name, etc. can be confirmed upon completion of the delivery, and the user eligibility is confirmed upon completion of the delivery. Also, when a service provider visits a user and provides magnetic media to the user, the service provider can meet with the user, thereby qualifying the user as well as performing a service usage agreement. Judgment can be made reliably.

  The user identification file is installed by a user or service provider whose user qualification has been confirmed, and is performed on one or a plurality of computers that the user intends to use for the network service. The user identification file is installed by the service provider as well as by the user himself / herself. The installation operation by the service provider can be performed when a service use contract is made or when a magnetic medium or the like is provided. Installation by the service provider also serves as confirmation of user eligibility through interviews with the user. Of course, the user lacks computer knowledge, and the user himself has difficulty in performing the installation operation. In order to confirm the eligibility, it is preferable that the service provider performs an installation operation. Note that it is also preferable to limit the number of computers to be installed depending on the service content or user qualification. When performing such restriction, the service provider collects the magnetic medium storing the user identification file after installation. Further, the user identification file (particularly, the computer identification symbol) can have the same content for all users who receive the service by the network service method or a plurality of grouped users. In this case, for security reasons, it is preferable to periodically change the version of the user identification file (change of the computer identification symbol).

  By the way, in the above-described network service method or client / server system, it is necessary to provide a service according to the needs of each user, and a user dedicated screen which is a service providing screen is provided for each user or each grouped user. It may be desirable to let them customize.

  In such a case, in addition to installing the user identification file, the user can be requested to input user information as a log-in condition for a user-dedicated screen for enjoying a specific service. Such user information does not include user-specific confidential information (user's annual income, credit card number, etc.) such that leakage on the network is disadvantageous to the user. In general, the user information and the user ID presented by the service provider and Password or both. The user-dedicated screen can be customized according to the user according to the user ID, and a detailed service according to the individual needs of the user can be provided.

  In such a case, with the login operation from the user information input screen to the user dedicated screen, confirmation of the presence of the user identification file (computer identification symbol) is started, and the server computer confirms the existence of the user identification file. Only the input user information (user ID or the like) is collated with the user information stored in the database, and the log-in from the authentication information input screen to the user dedicated screen is permitted by confirming the matching. That is, by performing the process for checking the consistency of user information such as a user ID after the existence of the user identification file is confirmed, the user information is intercepted on the network, and an unauthorized access request using the user information is issued. Even if it occurs, the request can be surely rejected, and security can be ensured.

  According to the network service method of the present invention, it is possible to safely provide and enjoy a network service. Moreover, it is possible to easily and inexpensively construct a network service system without requiring a complicated and expensive security system. In addition, according to the client / server system of the present invention, such a network service method can be suitably implemented.

  As shown in FIG. 1, the client server system according to the present invention for carrying out the network service method according to the present invention is a network comprising a client computer 1 owned by a user and a server computer 2 owned and managed by a service provider. (Internet) 3 is connected.

  The client computer 1 is a stationary computer (desktop personal computer or the like) or a portable terminal (notebook personal computer or the like) owned by the user, a WWW browser (for example, Microsoft Internet Explorer or Netscape Navigator or the like), a display, or the like. Is sent to the Internet 3 to acquire a resource (hypertext) specified by the URL and display a desired image on the display. As will be described later, a user identification file having a computer identification symbol is installed in the client computer 1 that can use a specific service by the network service (hereinafter, a computer in which the user identification file is installed and a computer in which the user identification file is not installed). And the latter is called "specific computer" and the latter is called "unspecified computer"). In addition, user information (ID and password) is presented by the service provider to a user who uses a specific computer (hereinafter referred to as “specific user” when it is necessary to distinguish a user who uses an unspecified computer). Has been. The number of specific computers 1 allowed for one user can be limited by the service provider, but there is no such limitation, and the user can arbitrarily set it according to the service usage conditions. There is also a case. For example, if you want to use a computer at the head office and a computer at a branch or sales office that is not connected to this as a WAN as a specific computer, or the user's employee wants to access it from any location with a portable terminal such as a laptop computer This is because there are cases.

  The server computer 2 is a computer system including a WWW server 4 and a database 5, and includes a LAN and WAN network system as necessary. The server 4 is connected to the Internet 3 and includes a homepage display file. Note that a general security system (firewall or the like) can be attached to the server computer 2 as necessary. The homepage display file is a process of sending a homepage composed of multiple-level web pages (user information input screen, user-specific screen, etc.) to the browser, acquisition of a computer identification symbol, retention processing, computer identification symbol discrimination processing, It consists of a program that performs user information verification and confirmation processing. In the process of acquiring and holding the computer identification symbol, the computer identification symbol assigned to the computer 1 is automatically acquired by the user identification file when accessing the home page from the specific computer 1, and this is obtained by using the cookie function to the client computer 1 Implicitly on the browser display screen. In the identification processing of the computer identification symbol, the presence or absence of the computer identification symbol acquired and held on the browser display screen of the client computer 1 is determined. In the verification and confirmation processing of the user information, the computer identification symbol When the existence is confirmed, the user ID and password, which are user information input by the user, are checked against the pace information (user information on ID and password held in the database 5) Access to the database 5 is permitted from the screen.

  A user identification file provided by a service provider is installed on the specific computer 1. This user identification file includes a computer identification symbol (text file) formed by arranging an appropriate number of ASCII characters and a dynamic link library (DLL) for reading the computer identification symbol on the browser display screen of the computer 1. In addition to the user identification file, an installation wizard program for incorporating it into a specific computer is stored in the magnetic medium as necessary. The user identification file has a function of giving a specific computer identification symbol (authentication symbol) to the specific computer 1 to distinguish it from other computers (non-specific computers). Directories or files that do not affect the existing programs of the computer 1 (operating systems (Windows 98, MS-DOS, OS / 2, etc.), application programs, etc.) and are not generally operated by the user. (For example, a system file).

  In principle, the service provider installs the user identification file on the specific computer 1 in order to serve as confirmation of user qualification by the service provider and to prevent unauthorized use of the user identification file. In other words, whether the service provider visits the user and installs it on the computer 1 that the user intends to use, so that the service provider is a person who is qualified as a specific user (user qualification). It is possible to directly determine whether it is a person who can properly use the network service, and the safety of the subsequent electronic commerce is guaranteed. On the other hand, when it is guaranteed that the user is a credible person by concluding a service use contract such as an agency contract, a user identification file is stored in a magnetic medium and is used for general mail, courier service, etc. It is delivered to the user by delivery means or as an attached file of an e-mail, and the user himself installs the user identification file. Even in this case, if the specific user is not familiar with the computer operation, the service provider installs the user identification file in response to a request from the user.

  Thus, in the network service method according to the present invention implemented by the client / server system, a service (database use service such as product ordering, inventory inquiry, etc.) specific to a specific user is performed by a routine as shown in FIG. ) Is provided.

  That is, the web browser is started from the specific computer 1 in which the user identification file is installed, the service provider's home page is accessed, and the home page screen is displayed on the display of the specific computer. The homepage screen has a login button for a user-dedicated screen, and when this button is clicked, a user information input screen is displayed. The specific user inputs the user ID and password previously presented by the service provider on this input screen. Then, by clicking a login button displayed on the input screen, a user-specific screen customized by the input user ID is displayed, and access to the database 5 is allowed.

  At this time, the login to the user-dedicated screen is performed only for access by the specific computer 1 in which the user identification file is installed, and is denied for access from an unspecified computer.

  That is, when a login operation (clicking on the login button) from the user information input screen to the user dedicated screen is performed, the presence or absence of a computer identification symbol in the computer 1 is determined and confirmed on the browser display screen of the client computer. . When the presence of the computer identification symbol is confirmed, the server computer 2 compares the user information stored in the database 5 with the input user ID and password. If they match, a user-only screen is displayed and access to the database 5 is permitted. The user-dedicated screen is customized by the user ID and has one or a plurality of sections desired by a specific user. For example, a product order section, an inventory information section, a shipping information section for ordered products, a database download section, and the like. On the other hand, if the entered user ID or password does not match the database information, an appropriate error screen is displayed and login to the user-dedicated screen is rejected.

  In addition, when an access request to the user-dedicated screen is made from an unspecified computer, the computer identification symbol is not confirmed on the browser display screen, an appropriate error screen is displayed, and login to the user-dedicated screen is denied. . At this time, the input user information and the database information are not collated. That is, these information collations are performed only when the presence of a proper computer identification symbol is confirmed. Therefore, even when access from a large number of computers 1 including a plurality of unspecified computers is performed simultaneously, it includes unauthorized access (access using intercepted user information (formally appropriate user ID, password)). The processing load on the server computer 2 (load on the server 4) is reduced as compared with the case where collation and judgment of matching between the entered user ID, password and database information are performed for all accesses including Accordingly, it is not necessary to increase the server capacity more than necessary, and the server computer 2 can be reduced in size and cost.

  By the way, since the user ID and password can be determined by looking at the URL specification line of the browser, the status bar, and further the source code, those who are familiar with HTML commands can easily know it. There is a risk of unauthorized access by others.

  However, as described above, the correctness of the user ID and password is determined only for the access from the specific computer 1 in which the existence of the computer identification symbol is confirmed, and for the access from the unspecified computer 1, the user ID, Even if the password is correct, login to the user-dedicated screen or access to the database 5 is denied, so even if the user ID and password are stolen, the service provider and the user are unforeseen. There is no damage. In addition, since the user ID and password can only be used in the network service, the user (specific user) may be damaged by unauthorized use in other network services, etc., unlike user-specific confidential information. There is no.

  When the server computer confirms the presence of the computer identification symbol, the confirmation information is held in a cookie, and the holding state continues as long as it is connected to the home page including the user-dedicated screen. Therefore, even when login and logoff are repeatedly performed on the user-dedicated screen, it is possible to avoid the trouble of performing the computer identification symbol confirmation process each time. However, the holding by the cookie disappears with the end of the connection to the homepage (release of online) for security.

  By the way, since the computer identification symbol is a simple text file in which ASCII characters are enumerated, it is not conspicuous unlike special files such as encrypted files. However, there is little risk of being hacked. Therefore, personalization of the computer 1 by the computer identification symbol can be an access right authentication means that is extremely effective in terms of security.

  As described above, in the network service method or client / server system according to the present invention, authentication of access right to the user-dedicated screen is performed, and the user (person) is identified by user information such as confidential information unique to the user. Instead, the computer 1 used by the user is personalized by the computer identification symbol inherent therein, so that there is no danger of user information being intercepted on the network, and the user suffers unexpected damage. There is no. In addition, unauthorized access is reliably prevented for the service provider, and the network service can be safely performed without being damaged due to unauthorized entry into the database 5.

  By the way, although it is conceivable to use an IC card reader as a method for authenticating the access right by making the computer unique, it is necessary to install an IC card reader for each computer for which the access right is to be secured. There is a problem that the initial cost for using the is increased. In particular, depending on the user's needs and service contents, when access from a plurality of computers owned by the user is required, an IC card reader must be installed for each computer, which is an economical burden. Will be enormous.

  However, in the network service or the client / server system according to the present invention, only the user identification file is installed in the computer to be used, and no special equipment other than the magnetic medium storing the user identification file is required. The system construction required for (determining the presence or absence of a computer identification symbol) is simple and easy, and can fully meet the user's needs without causing a large economic burden. In addition, once the user identification file is installed, there is no need to operate the IC card reader each time it is accessed, and it is optional when a portable terminal such as a notebook computer is used as the specific computer 1. Service can be easily received from other locations.

  It should be noted that the present invention is not limited to the above-described embodiment, and can be appropriately improved and changed without departing from the basic principle of the present invention.

  For example, user information such as a user ID and a password is necessary for customizing a user-dedicated screen. However, as described above, it is easily intercepted on the network, and in order to ensure the security of the network service. Not so important. Therefore, when the content of the provided service (configuration of the user-dedicated screen) is uniform and does not need to be customized according to the user, it is not required to input user information such as a user ID and password, The access right can be unconditionally authenticated in response to an access request from the computer 1 in which the user identification file is installed. For example, as shown in FIG. 3, when a login operation to a user-dedicated screen (such as clicking a login button on the login screen) is performed, the presence or absence of a computer identification symbol is confirmed on the browser display screen of the client computer 1, and the computer When the presence of the identification symbol is confirmed, login to the user-dedicated screen or access to the database is permitted. Even in such a case, the computer identification symbol is retained as a cookie, and the retained information disappears when the connection to the home page is terminated. On the other hand, if the presence of the computer identification symbol is not confirmed, an error screen is displayed and the access is denied.

  The present invention can be applied to a case where a closed network such as an intranet or an extranet is used, and further, security on a LAN or WAN is desired to be secured.

It is a block diagram which shows an example of the client server system which concerns on this invention. It is a flowchart figure explaining embodiment of the network service method which concerns on this invention. It is a flowchart figure which shows other embodiment of the network service method which concerns on this invention.

Explanation of symbols

1 Client computer 2 Server computer 3 Network (Internet)
4 WWW server 5 Database

Claims (20)

A server computer owned and managed by a service provider, and a client computer used by a user whose user eligibility has been confirmed in advance by the service provider and installed with a user identification file provided by the service provider When there is an access request from a client computer connected via a network, the server computer checks the existence of a user identification file in the client computer, and the client computer from which the existence of the user identification file is confirmed A network service method characterized in that a service provider provides a specific service to the user only in response to an access request. The user identification file does not affect the existing program of the client computer by installing it, and has a computer identification symbol in which a plurality of ASCII characters are enumerated. The network service method according to claim 1. 3. The network service method according to claim 2, wherein the user identification file is installed by a service provider in one or more computers owned by the user. 3. The network service method according to claim 2, wherein one or a plurality of computers owned by a user is one in which a user identification file is installed by the user. 5. The network service method according to claim 1, wherein the user qualification is confirmed by concluding a service use contract between the service provider and the user. 6. The network service method according to claim 5, wherein the service use contract is an agency contract. 6. The network service method according to claim 5, wherein the user qualification is confirmed when the user identification file is installed by the service provider. 6. The network service method according to claim 5, wherein the service provider visits the user and performs user eligibility confirmation. The network according to any one of claims 1 to 8, wherein the service provider provides a user identification file having the same content to all users or a plurality of users who want to grant access rights. Service method. The server computer requests input of user information that does not include user-specific confidential information as a log-in condition for a user-dedicated screen for enjoying a specific service, according to any one of claims 1 to 9. Network service method. 11. The network service method according to claim 10, wherein the user information is a user ID and / or password presented by a service provider. The network service method according to claim 10 or 11, characterized in that a server computer starts checking for the presence of a computer identification symbol in accordance with a login operation from the user information input screen to a user dedicated screen. . Only when the existence of the computer identification symbol is confirmed, the server computer compares the entered user information with the user information stored in the database, and confirms the consistency, thereby confirming the user information from the authentication information input screen. The network service method according to claim 10, wherein login to a dedicated screen is permitted. 14. The network service method according to claim 1, wherein presence information of the user identification file is held in a cookie, and the held information in the cookie is lost when the connection to the network is terminated. A client computer owned by a user and a server computer owned and managed by a service provider are connected via a network, and the service provider responds to an access request from a client computer whose existence of the user identification file is confirmed. A client / server system configured to provide a specific service only,
The client computer is a computer owned by a user whose user eligibility has been confirmed in advance by the service provider and installed with a user identification file provided by the service provider,
When there is an access request from a client computer, the server computer can confirm the presence or absence of a user identification file contained in the client computer,
The user identification file does not have any influence on the existing program of the client computer by installing it, and has a computer identification symbol that can be confirmed by the server computer.
The client / server system, wherein the computer identification symbol is a list of a plurality of ASCII characters. 16. The client / server system according to claim 15, wherein user identification files installed in a plurality of client computers have the same contents. The server computer requests input of user information that does not include user-specific confidential information as a log-in condition for a user-dedicated screen for enjoying a specific service. Client-server system described in 1. 18. The client / server system according to claim 17, wherein the user information is a user ID and / or password presented by a service provider. 19. The server computer according to claim 17, wherein the server computer starts checking for the presence of a computer identification symbol in accordance with a log-in operation from the user information input screen to a user-dedicated screen. Client / server system. Only when the existence of the computer identification symbol is confirmed, the server computer compares the entered user information with the user information stored in the database, and confirms the consistency, thereby confirming the user information from the authentication information input screen. 20. The client / server system according to any one of claims 17 to 19, wherein login to a dedicated screen is permitted.