Enabling different client contexts to share session information

摘要

The problem of sharing session information across client contexts is addressed by binding initial session information to a persistent, short-lived and one-time use temporary identifier. This identifier is persisted on a client side (e.g., through a cookie jar) that is shared among the different client contexts that can share the original session. This temporary identifier, in turn, allows one or more other sessions to use the original session information by acting as an index into that session information, which is stored on the server side. Preferably, this temporary identifier contains a unique identifier (ID) that is generated as a sufficiently-complex random number. A mapping back to the real session identifier is maintained on the server side for this short-lived ID.

主权项

1. A method for sharing pre-existing session information, the session information representing a session having been established upon authentication of a client to a server in a first client context, the client having a cookie store storing information accessible across multiple client contexts, wherein a context is a client-server operating state with respect to a particular client application, comprising:
receiving a request for a temporary and persistent cookie, the request having been issued by the client in association with a prospective switch from the first client context to a second client context; in response to the request, associating a unique temporary session identifier with the temporary and persistent cookie, the unique temporary session identifier being distinct from the pre-existing session information that was established upon authentication of the client to the server in the first context; binding the unique temporary session identifier to the pre-existing session information and the session; returning to the client, for storage in the cookie store, the temporary and persistent cookie that includes the unique temporary session identifier; upon a subsequent receipt of the temporary and persistent cookie following an actual switch from the first context to the second context, using the unique temporary session identifier therein to retrieve the pre-existing session information for use by the client in the second context; upon validating existence of the session represented by the session information, providing the client the session information so that both the first and second client contexts share the session information, the session information provided in a non-persistent cookie; and in addition to providing the session information in the non-persistent cookie, providing the client an empty temporary session cookie that, upon receipt at the client, clears the temporary and persistent cookie from the cookie store.