Aol Inc.

Facebook, Inc.

Citrix Systems, Inc.

Bright Sun Technologies

America Online, Inc.

Aol Llc, a Delaware Limited Liability Company

American Online, Inc.

Christopher Newell Toomey

Conor Patrick Cahill

Andrew Lee Wick

Alan Keister

Aleksey Sanin

Robert G Watkins

Xiaopeng Zhang

Donald Eaves

Russell Richards

James Anthony Roskind

Norihiro Edwin Aoki

David Wexelblat

Jeromy Carriere

A method and apparatus for fine-grained, trust-based rate limiting of network requests distinguishes trusted network traffic from untrusted network traffic at the granularity of an individual user/machine combination, so that network traffic policing measures are readily implemented against untrusted and potentially hostile traffic without compromising service to trusted users. A server establishes a user/client pair as trusted by issuing a trust token to the client when successfully authenticating to the server for the first time. Subsequently, the client provides the trust token at login. At the server, rate policies apportion bandwidth according to type of traffic: network requests that include a valid trust token are granted highest priority. Rate policies further specify bandwidth restrictions imposed for untrusted network traffic. This scheme enables the server to throttle untrusted password-guessing requests from crackers without penalizing most friendly logins and only slightly penalizing the relatively few untrusted friendly logins.

Method and system for trust-based processing of network requests

Method and apparatus for trust-based, fine-grained rate limiting of network requests

Leveraging an established authenticated session in obtaining authentication to a client application includes receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination. When the determination reveals characteristics of at least one leverageable authentication corresponding to an established session, and attempt is made to obtain access for the requestor to the client application based on the at least one leverageable authentication, and the requestor is provided with a notification related to the 1 attempt to obtain access for the requestor to the client application.

Implementing single sign-on across a heterogeneous collection of client/server and web-based applications

A system and method for determining in a global network the user network authentication status as the user goes from site to site within the network is provided. Additionally, the system and method provides for transparent or implicit multi-site logon functionality, including automatic introduction from one site to the other using a baseline authentication agency (). The system and method provides an architecture for a core global network () (referred to herein as NET) that incorporates some or all of the following features and components: a set of baseline authentication agencies responsible for the core global network (NET) services, such as login and user-selected service-provider lookup; a shared NET domain and associated DNS records () used for cookie () sharing, login routing, and the like; and a collection of partner sites () accessible via the NET.

Seamless cross-site user authentication status detection and automatic login

Protection is provided to prevent a computer user from unintentionally giving away sensitive data (e.g., security credentials, credit card number, PINs, personal data, or bank account number) to an illegitimate or unintended entity by means of a client application capable of communicating the sensitive data across a network to other computer users. To provide the protection, user input is monitored to detect a user entry of the sensitive data into the client application for communication to other users. When such an entry occurs, action is taken to reduce the likelihood of an unintentional giveaway of the sensitive data or to reduce the effects of an unintentional giveaway.

Techniques for detecting and preventing unintentional disclosures of sensitive data

The invention provides a method for flexibly, safely, robustly, and efficiently serving user interface pages composed of foreign content supplied by a third-party as well as local content supplied by the first party by allowing the cobrander to serve cobranded page templates. The cobrandee server retrieves the cobranded page templates from cobrander server and inserts the cobrandee contents into the cobranded page templates to generate cobranded Web content pages.

Method for flexible, safe, robust, and efficient generation and serving of multi-source world-wide web content pages

The volume of outgoing electronic messages from a given entity may be restricted by preventing the messages, such as spam, from being sent. Messages may be restricted, for example, by serializing outgoing messages using a mutual-exclusion locking technique or by using a ticket-based system. Serialization may occur, for example, at a web level in web-based implementations. In one system, a limited-use ticket is generated that allows an entity to send one or more electronic messages, and the ticket is provided to the entity. A request is received from the entity to send an electronic message, and the request is associated with the ticket and the electronic message. After receiving the request, a determination is made as to whether the ticket is valid and, if the ticket is determined to be valid, the electronic message is approved for sending.

Restricting the volume of outbound electronic messages originated by a single entity

Leveraging an established authenticated session in obtaining authentication to a client application includes receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination. When the determination reveals characteristics of at least one leverageable authentication corresponding to an established session, and attempt is made to obtain access for the requester to the client application based on the at least one leverageable authentication, and the requestor is provided with a notification related to the attempt to obtain access for the requester to the client application.

An identity based service system is provided, in which an identity is created and managed for a user or principal, such that at least a portion of the identity is available to use between one or more system entities. A discovery service enables a system entity to discover a service descriptor, given a service name and a name identifier of the user, whereby system entities can find and invoke the user's other personal web services. The discovery service preferably provides a translation between a plurality of namespaces, to prevent linkable identity information over time between system entities.

Identity based service system

A solution is provided to monitor Web browsing activity across an Internet based network of affiliated Web sites and to enable the Web sites to detect and to force re-authentication upon users who have had a period of network-wide inactivity longer than a site-specific maximum allowable inactivity period. The network comprises at least one network authentication server (NAS) which maintains a network-wide activity tracking (NATr) cookie. The NATr cookie comprises a set of network-wide activity tracking (NATr) parameters for each registered user. Each of the Web sites maintains a site-specific activity tracking (SATr) cookie which comprises a set of site-specific activity tracking (SATr) parameters for each registered user. The NATr parameters for each user are reset whenever the user authenticates to the network. When a user requests a page from a site, an NAS forces the user to re-authenticate when the NAS determines that the user's network-wide inactivity duration is longer than the site's maximum allowable inactivity period.

Growing community of inventors

Cupertino, CA, United States of America

Christopher Newell Toomey